Windows Analysis Report
HomeDesk.msi

Overview

General Information

Sample name:	HomeDesk.msi
Analysis ID:	1447353
MD5:	3e541108bd65df0d1127e15711da911a
SHA1:	eb6ae2a6dd97fa670dcae50daef8444b3ae14cc1
SHA256:	52459bfa76a1b8918e1e18c7b35b9a5ea0c4876e7483e2f486217e3059b6c234
Tags:	msi
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for dropped file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Launches processes in debugging mode, may be used to hinder debugging

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Avira: detection malicious, Label: ADWARE/NotToTrack.dzcps

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Nota Fiscal Eletronica\AGLoader.dll	ReversingLabs: Detection: 21%
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: HomeDesk.msi

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Nota Fiscal Eletronica\AGLoader.dll

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Unpacked PE file: 5.2.LKdayanJELT9QDD900055.exe.400000.0.unpack

Source:

Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: HomeDesk.msi

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028AE3A0 FindFirstFileW,FindClose,	3_2_028AE3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028ADDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	3_2_028ADDBC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040E3A0 FindFirstFileW,FindClose,	5_2_0040E3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040DDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	5_2_0040DDBC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3E3A0 FindFirstFileW,FindClose,	8_2_02C3E3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C43CDA FindFirstFileW,	8_2_02C43CDA
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3DDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	8_2_02C3DDBC

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /clientes/inspecionando.php HTTP/1.1Host: newsfoos.from-il.comCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /clientes/inspecionando.php HTTP/1.1Host: newsfoos.from-il.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: newsfoos.from-il.com

Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.000000000064D000.00000004.00000020.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.0000000000697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://newsfoos.from-il.com/clientes/inspecionando.php
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.0000000000697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://newsfoos.from-il.com/clientes/inspecionando.php#
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.000000000064D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://newsfoos.from-il.com/clientes/inspecionando.php&
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.000000000064D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://newsfoos.from-il.com/clientes/inspecionando.phpN%
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.0000000000697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://newsfoos.from-il.com/clientes/inspecionando.phpOI
Source: LKdayanJELT9QDD900055.exe, LKdayanJELT9QDD900055.exe, 00000008.00000002.2035773364.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000008.00000002.2036285297.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000008.00000002.2038808113.000000007E290000.00000004.00001000.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000008.00000003.2032891929.000000007E640000.00000004.00001000.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000008.00000002.2039755447.000000007EC70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2906804901.0000000002D42000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/v03rLptMes/inspecionando.php

Contains functionality for read data from the clipboard

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C448D2 OpenClipboard,

8_2_02C448D2

Contains functionality to modify clipboard data

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C4499A SetClipboardData,

8_2_02C4499A

Contains functionality to read the clipboard data

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C445E2 GetClipboardData,

8_2_02C445E2

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C446BA GetKeyboardState,

8_2_02C446BA

System Summary

PE file contains section with special chars

Source: AGLoader.dll.1.dr	Static PE information: section name: .Lp&
Source: AGLoader.dll.1.dr	Static PE information: section name: .l)4

Contains functionality to call native functions

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C444A2 NtdllDefWindowProc_W,

8_2_02C444A2

Contains functionality to launch a process as a different user

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00ECBD43 __EH_prolog3_GS,SetErrorMode,__set_abort_behavior,_memset,CreateProcessAsUserA,CreateProcessA,

3_2_00ECBD43

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C4458A ExitWindowsEx,

8_2_02C4458A

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\53da2f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDD3D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDBB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDEA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDF43.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0BB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{CD47C468-A902-4164-B360-5693BA87F9BC}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE168.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\53da32.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\53da32.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIDD3D.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDC0B4	3_2_00EDC0B4
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EE7105	3_2_00EE7105
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EF12DA	3_2_00EF12DA
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDB373	3_2_00EDB373
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDC4E9	3_2_00EDC4E9
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EF344A	3_2_00EF344A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00ED2672	3_2_00ED2672
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EE87DC	3_2_00EE87DC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00ED28C5	3_2_00ED28C5
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDB867	3_2_00EDB867
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EF184C	3_2_00EF184C
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00ED5A90	3_2_00ED5A90
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDEBDC	3_2_00EDEBDC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EE0B47	3_2_00EE0B47
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDBC7F	3_2_00EDBC7F
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EF0D68	3_2_00EF0D68
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EE2D1E	3_2_00EE2D1E
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EF1FF6	3_2_00EF1FF6
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDAFC9	3_2_00EDAFC9
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028AC3B8	3_2_028AC3B8
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040C3B8	5_2_0040C3B8
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C432BB	8_2_02C432BB
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3C3B8	8_2_02C3C3B8

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe 7FA7499C7A72041D7D0FB1E4659466AD8D428080A176FA16276FD60ADC9DA0FD
Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSIDD3D.tmp 42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0

Found potential string decryption / allocating functions

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: String function: 00EDDFB0 appears 53 times
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: String function: 00ED8F00 appears 60 times
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: String function: 00ED8F33 appears 41 times

PE file contains more sections than normal

Source: AGLoader.dll.1.dr

Static PE information: Number of sections : 12 > 10

Sample file is different than original file name gathered from version info

Source: HomeDesk.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs HomeDesk.msi

Source: classification engine

Classification label: mal88.evad.winMSI@8/142@1/1

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C43BBA AdjustTokenPrivileges,

8_2_02C43BBA

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C43D5A GetDiskFreeSpaceW,

8_2_02C43D5A

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00ECBED0 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,Process32Next,CloseHandle,

3_2_00ECBED0

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C44012 SizeofResource,

8_2_02C44012

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLE1C1.tmp

Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Mutant created: \Sessions\1\BaseNamedObjects\My-Ecommece

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF66716DC87A4382C0.TMP

Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Command line argument: >b

3_2_00EE6190

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HomeDesk.msi

ReversingLabs: Detection: 31%

Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: ISO_6937-2-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-DANO-ADD
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-DANO-ADD
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: ISO_6937-2-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: ISO_6937-2-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-DANO-ADD

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\HomeDesk.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1B2D85995D295580A3E8CCFD73CF5DB1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe "C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"
Source: unknown	Process created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe "C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"
Source: unknown	Process created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe "C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1B2D85995D295580A3E8CCFD73CF5DB1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe "C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: agloader.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: agloader.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: agloader.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: HomeDesk.msi

Static file information: File size 23561216 > 1048576

Source:

Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: HomeDesk.msi

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Unpacked PE file: 5.2.LKdayanJELT9QDD900055.exe.400000.0.unpack

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .l)4

PE file contains sections with non-standard names

Source: AGLoader.dll.1.dr	Static PE information: section name: .didata
Source: AGLoader.dll.1.dr	Static PE information: section name: .Lp&
Source: AGLoader.dll.1.dr	Static PE information: section name: .LaQ
Source: AGLoader.dll.1.dr	Static PE information: section name: .l)4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDF974 push edi; ret	3_2_00EDF976
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDFA7F push esi; ret	3_2_00EDFA8F
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDFC68 push esi; ret	3_2_00EDFC6A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDFD51 push edi; ret	3_2_00EDFD53
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00ED8ECE push ecx; ret	3_2_00ED8EE1
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDDFF5 push ecx; ret	3_2_00EDE008
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028B0020 push ecx; mov dword ptr [esp], edx	3_2_028B0021
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028AF114 push ecx; mov dword ptr [esp], eax	3_2_028AF119
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028ABA24 push ecx; mov dword ptr [esp], edx	3_2_028ABA25
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028A6DF9 pushfd ; retf	3_2_028A6E03
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_00410020 push ecx; mov dword ptr [esp], edx	5_2_00410021
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040F114 push ecx; mov dword ptr [esp], eax	5_2_0040F119
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040BA24 push ecx; mov dword ptr [esp], edx	5_2_0040BA25
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_00406DF9 pushfd ; retf	5_2_00406E03
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C40020 push ecx; mov dword ptr [esp], edx	8_2_02C40021
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C35113 push ecx; ret	8_2_02C35114
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3F114 push ecx; mov dword ptr [esp], eax	8_2_02C3F119
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3178B push dword ptr [eax+1Ah]; ret	8_2_02C317BA
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C334D7 push esp; ret	8_2_02C334E5
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C33467 push dword ptr [edi+3Ah]; ret	8_2_02C3347E
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C42438 push ecx; mov dword ptr [esp], edx	8_2_02C42439
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C4256C push ecx; mov dword ptr [esp], ecx	8_2_02C42571
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3BA24 push ecx; mov dword ptr [esp], edx	8_2_02C3BA25
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C34B5F push 33F86C61h; ret	8_2_02C34B64
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C31849 push ds; ret	8_2_02C3184A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C31851 push ds; ret	8_2_02C31852
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C31858 push ds; ret	8_2_02C3185A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C31839 push ds; ret	8_2_02C3183A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C439E8 push 10E40002h; ret	8_2_02C439ED
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C36DF9 pushfd ; retf	8_2_02C36E03

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDD3D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDEA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\Nota Fiscal Eletronica\AGLoader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0BB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDBB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDF43.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDD3D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDEA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0BB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDBB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDF43.tmp	Jump to dropped file

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Financeiro			Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Financeiro			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 5C0005 value: E9 8B 2F 94 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 76F02F90 value: E9 7A D0 6B 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 5D0005 value: E9 2B BA 8F 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 76ECBA30 value: E9 DA 45 70 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 5E0008 value: E9 8B 8E 93 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 76F18E90 value: E9 80 71 6C 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 600005 value: E9 8B 4D 5F 75	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 75BF4D90 value: E9 7A B2 A0 8A	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 610005 value: E9 EB EB 5F 75	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 75C0EBF0 value: E9 1A 14 A0 8A	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 620005 value: E9 8B 8A 9B 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 74FD8A90 value: E9 7A 75 64 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 630005 value: E9 2B 02 9D 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 75000230 value: E9 DA FD 62 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E20005 value: E9 8B 2F 0E 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 76F02F90 value: E9 7A D0 F1 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E30005 value: E9 2B BA 09 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 76ECBA30 value: E9 DA 45 F6 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E40008 value: E9 8B 8E 0D 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 76F18E90 value: E9 80 71 F2 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E70005 value: E9 8B 4D D8 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 75BF4D90 value: E9 7A B2 27 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E80005 value: E9 EB EB D8 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 75C0EBF0 value: E9 1A 14 27 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E90005 value: E9 8B 8A 14 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 74FD8A90 value: E9 7A 75 EB 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: EA0005 value: E9 2B 02 16 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 75000230 value: E9 DA FD E9 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: A10005 value: E9 8B 2F 4F 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 76F02F90 value: E9 7A D0 B0 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: A20005 value: E9 2B BA 4A 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 76ECBA30 value: E9 DA 45 B5 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: A30008 value: E9 8B 8E 4E 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 76F18E90 value: E9 80 71 B1 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: E70005 value: E9 8B 4D D8 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 75BF4D90 value: E9 7A B2 27 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: E80005 value: E9 EB EB D8 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 75C0EBF0 value: E9 1A 14 27 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: E90005 value: E9 8B 8A 14 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 74FD8A90 value: E9 7A 75 EB 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: EB0005 value: E9 2B 02 15 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 75000230 value: E9 DA FD EA 8B	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C44832 IsIconic,

8_2_02C44832

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00EDAFC9 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_00EDAFC9

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00ECBED0 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,Process32Next,CloseHandle,

3_2_00ECBED0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Window / User API: foregroundWindowGot 361

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDD3D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDDEA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE0BB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDDBB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDF43.tmp	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API coverage: 7.9 %
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API coverage: 5.7 %
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API coverage: 2.5 %

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028AE3A0 FindFirstFileW,FindClose,	3_2_028AE3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028ADDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	3_2_028ADDBC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040E3A0 FindFirstFileW,FindClose,	5_2_0040E3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040DDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	5_2_0040DDBC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3E3A0 FindFirstFileW,FindClose,	8_2_02C3E3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C43CDA FindFirstFileW,	8_2_02C43CDA
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3DDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	8_2_02C3DDBC

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_028AFFB8 GetSystemInfo,

3_2_028AFFB8

Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.000000000064D000.00000004.00000020.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.0000000000697000.00000004.00000020.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.00000000006B2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00EE6408 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_00EE6408

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

3_2_00EE6408

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00ECBED0 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,Process32Next,CloseHandle,

3_2_00ECBED0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00EDD605 GetProcessHeap,

3_2_00EDD605

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe "C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"

Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00ED07FC __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z,__EH_prolog3_catch,SetErrorMode,__set_abort_behavior,SetUnhandledExceptionFilter,__set_invalid_parameter_handler,__set_invalid_parameter_handler,__set_abort_behavior,_signal,_signal,_signal,_signal,_signal,_signal,	3_2_00ED07FC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDB285 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00EDB285
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDB254 SetUnhandledExceptionFilter,	3_2_00EDB254

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C44AEA keybd_event,

8_2_02C44AEA

Contains functionality to simulate mouse events

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C44AF2 mouse_event,

8_2_02C44AF2

Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2906804901.0000000002D7C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROGRAM MANAGER
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2906804901.0000000002D7C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROGRAM MANAGER)
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2906804901.0000000002D7C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerVO

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00EDE4AA cpuid

3_2_00EDE4AA

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	3_2_00EEF0B3
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00EEF1DD
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_00EEF28A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	3_2_00EEF35E
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00EED6C4
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	3_2_00EEEB0A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetLocaleInfoW,	3_2_00EDCC65
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: EnumSystemLocalesW,	3_2_00EDCC28
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_00EEEDBE
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: EnumSystemLocalesW,	3_2_00EEED7E
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	3_2_00EEEEBE
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_00EEEE3B
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	3_2_028AE4F4
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_028AD958
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetLocaleInfoW,	5_2_0042F000
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0040D958
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	5_2_0040E4F4
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: EnumSystemLocalesW,	8_2_02C5F204
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	8_2_02C3E4F4
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_02C3D958
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetLocaleInfoW,	8_2_02C43D9A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetLocaleInfoW,	8_2_02C43DA2

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00EDDE45 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00EDDE45

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C43E9A GetTimeZoneInformation,

8_2_02C43E9A

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_028AFFCC GetVersion,

3_2_028AFFCC

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
35.199.75.136	newsfoos.from-il.com	United States		15169	GOOGLEUS	false

Contacted Domains

Name	IP	Active
newsfoos.from-il.com	35.199.75.136	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://newsfoos.from-il.com/clientes/inspecionando.php	false	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Avira: detection malicious, Label: ADWARE/NotToTrack.dzcps

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Nota Fiscal Eletronica\AGLoader.dll	ReversingLabs: Detection: 21%
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Source: HomeDesk.msi

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Nota Fiscal Eletronica\AGLoader.dll

Joe Sandbox ML: detected

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Unpacked PE file: 5.2.LKdayanJELT9QDD900055.exe.400000.0.unpack

Source:

Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: HomeDesk.msi

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028AE3A0 FindFirstFileW,FindClose,	3_2_028AE3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028ADDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	3_2_028ADDBC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040E3A0 FindFirstFileW,FindClose,	5_2_0040E3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040DDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	5_2_0040DDBC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3E3A0 FindFirstFileW,FindClose,	8_2_02C3E3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C43CDA FindFirstFileW,	8_2_02C43CDA
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3DDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	8_2_02C3DDBC

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /clientes/inspecionando.php HTTP/1.1Host: newsfoos.from-il.comCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /clientes/inspecionando.php HTTP/1.1Host: newsfoos.from-il.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: newsfoos.from-il.com

Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.000000000064D000.00000004.00000020.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.0000000000697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://newsfoos.from-il.com/clientes/inspecionando.php
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.0000000000697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://newsfoos.from-il.com/clientes/inspecionando.php#
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.000000000064D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://newsfoos.from-il.com/clientes/inspecionando.php&
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.000000000064D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://newsfoos.from-il.com/clientes/inspecionando.phpN%
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2904904326.0000000000697000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://newsfoos.from-il.com/clientes/inspecionando.phpOI
Source: LKdayanJELT9QDD900055.exe, LKdayanJELT9QDD900055.exe, 00000008.00000002.2035773364.0000000002C30000.00000040.00001000.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000008.00000002.2036285297.00000000031B0000.00000004.00001000.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000008.00000002.2038808113.000000007E290000.00000004.00001000.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000008.00000003.2032891929.000000007E640000.00000004.00001000.00020000.00000000.sdmp, LKdayanJELT9QDD900055.exe, 00000008.00000002.2039755447.000000007EC70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2906804901.0000000002D42000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/v03rLptMes/inspecionando.php

Contains functionality for read data from the clipboard

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C448D2 OpenClipboard,

8_2_02C448D2

Contains functionality to modify clipboard data

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C4499A SetClipboardData,

8_2_02C4499A

Contains functionality to read the clipboard data

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C445E2 GetClipboardData,

8_2_02C445E2

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C446BA GetKeyboardState,

8_2_02C446BA

System Summary

PE file contains section with special chars

Source: AGLoader.dll.1.dr	Static PE information: section name: .Lp&
Source: AGLoader.dll.1.dr	Static PE information: section name: .l)4

Contains functionality to call native functions

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C444A2 NtdllDefWindowProc_W,

8_2_02C444A2

Contains functionality to launch a process as a different user

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00ECBD43 __EH_prolog3_GS,SetErrorMode,__set_abort_behavior,_memset,CreateProcessAsUserA,CreateProcessA,

3_2_00ECBD43

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C4458A ExitWindowsEx,

8_2_02C4458A

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\53da2f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDD3D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDBB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDEA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDF43.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0BB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{CD47C468-A902-4164-B360-5693BA87F9BC}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE168.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\53da32.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\53da32.msi	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIDD3D.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDC0B4	3_2_00EDC0B4
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EE7105	3_2_00EE7105
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EF12DA	3_2_00EF12DA
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDB373	3_2_00EDB373
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDC4E9	3_2_00EDC4E9
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EF344A	3_2_00EF344A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00ED2672	3_2_00ED2672
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EE87DC	3_2_00EE87DC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00ED28C5	3_2_00ED28C5
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDB867	3_2_00EDB867
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EF184C	3_2_00EF184C
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00ED5A90	3_2_00ED5A90
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDEBDC	3_2_00EDEBDC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EE0B47	3_2_00EE0B47
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDBC7F	3_2_00EDBC7F
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EF0D68	3_2_00EF0D68
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EE2D1E	3_2_00EE2D1E
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EF1FF6	3_2_00EF1FF6
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDAFC9	3_2_00EDAFC9
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028AC3B8	3_2_028AC3B8
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040C3B8	5_2_0040C3B8
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C432BB	8_2_02C432BB
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3C3B8	8_2_02C3C3B8

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe 7FA7499C7A72041D7D0FB1E4659466AD8D428080A176FA16276FD60ADC9DA0FD
Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSIDD3D.tmp 42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0

Found potential string decryption / allocating functions

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: String function: 00EDDFB0 appears 53 times
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: String function: 00ED8F00 appears 60 times
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: String function: 00ED8F33 appears 41 times

PE file contains more sections than normal

Source: AGLoader.dll.1.dr

Static PE information: Number of sections : 12 > 10

Sample file is different than original file name gathered from version info

Source: HomeDesk.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs HomeDesk.msi

Source: classification engine

Classification label: mal88.evad.winMSI@8/142@1/1

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C43BBA AdjustTokenPrivileges,

8_2_02C43BBA

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C43D5A GetDiskFreeSpaceW,

8_2_02C43D5A

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00ECBED0 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,Process32Next,CloseHandle,

3_2_00ECBED0

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C44012 SizeofResource,

8_2_02C44012

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLE1C1.tmp

Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Mutant created: \Sessions\1\BaseNamedObjects\My-Ecommece

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF66716DC87A4382C0.TMP

Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Command line argument: >b

3_2_00EE6190

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: HomeDesk.msi

ReversingLabs: Detection: 31%

Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: ISO_6937-2-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-DANO-ADD
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-DANO-ADD
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: ISO_6937-2-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-b-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: jp-ocr-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: ISO_6937-2-add
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-SEFI-ADD
Source: LKdayanJELT9QDD900055.exe	String found in binary or memory: NATS-DANO-ADD

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\HomeDesk.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1B2D85995D295580A3E8CCFD73CF5DB1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe "C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"
Source: unknown	Process created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe "C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"
Source: unknown	Process created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe "C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1B2D85995D295580A3E8CCFD73CF5DB1	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe "C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: agloader.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: agloader.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: agloader.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: HomeDesk.msi

Static file information: File size 23561216 > 1048576

Source:

Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: HomeDesk.msi

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Unpacked PE file: 5.2.LKdayanJELT9QDD900055.exe.400000.0.unpack

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .l)4

PE file contains sections with non-standard names

Source: AGLoader.dll.1.dr	Static PE information: section name: .didata
Source: AGLoader.dll.1.dr	Static PE information: section name: .Lp&
Source: AGLoader.dll.1.dr	Static PE information: section name: .LaQ
Source: AGLoader.dll.1.dr	Static PE information: section name: .l)4

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDF974 push edi; ret	3_2_00EDF976
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDFA7F push esi; ret	3_2_00EDFA8F
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDFC68 push esi; ret	3_2_00EDFC6A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDFD51 push edi; ret	3_2_00EDFD53
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00ED8ECE push ecx; ret	3_2_00ED8EE1
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDDFF5 push ecx; ret	3_2_00EDE008
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028B0020 push ecx; mov dword ptr [esp], edx	3_2_028B0021
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028AF114 push ecx; mov dword ptr [esp], eax	3_2_028AF119
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028ABA24 push ecx; mov dword ptr [esp], edx	3_2_028ABA25
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028A6DF9 pushfd ; retf	3_2_028A6E03
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_00410020 push ecx; mov dword ptr [esp], edx	5_2_00410021
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040F114 push ecx; mov dword ptr [esp], eax	5_2_0040F119
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040BA24 push ecx; mov dword ptr [esp], edx	5_2_0040BA25
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_00406DF9 pushfd ; retf	5_2_00406E03
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C40020 push ecx; mov dword ptr [esp], edx	8_2_02C40021
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C35113 push ecx; ret	8_2_02C35114
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3F114 push ecx; mov dword ptr [esp], eax	8_2_02C3F119
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3178B push dword ptr [eax+1Ah]; ret	8_2_02C317BA
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C334D7 push esp; ret	8_2_02C334E5
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C33467 push dword ptr [edi+3Ah]; ret	8_2_02C3347E
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C42438 push ecx; mov dword ptr [esp], edx	8_2_02C42439
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C4256C push ecx; mov dword ptr [esp], ecx	8_2_02C42571
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3BA24 push ecx; mov dword ptr [esp], edx	8_2_02C3BA25
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C34B5F push 33F86C61h; ret	8_2_02C34B64
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C31849 push ds; ret	8_2_02C3184A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C31851 push ds; ret	8_2_02C31852
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C31858 push ds; ret	8_2_02C3185A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C31839 push ds; ret	8_2_02C3183A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C439E8 push 10E40002h; ret	8_2_02C439ED
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C36DF9 pushfd ; retf	8_2_02C36E03

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDD3D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDEA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\Nota Fiscal Eletronica\AGLoader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0BB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDBB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDF43.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDD3D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDEA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE0BB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDDBB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDF43.tmp	Jump to dropped file

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Financeiro			Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Financeiro			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 5C0005 value: E9 8B 2F 94 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 76F02F90 value: E9 7A D0 6B 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 5D0005 value: E9 2B BA 8F 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 76ECBA30 value: E9 DA 45 70 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 5E0008 value: E9 8B 8E 93 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 76F18E90 value: E9 80 71 6C 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 600005 value: E9 8B 4D 5F 75	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 75BF4D90 value: E9 7A B2 A0 8A	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 610005 value: E9 EB EB 5F 75	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 75C0EBF0 value: E9 1A 14 A0 8A	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 620005 value: E9 8B 8A 9B 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 74FD8A90 value: E9 7A 75 64 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 630005 value: E9 2B 02 9D 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 2500 base: 75000230 value: E9 DA FD 62 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E20005 value: E9 8B 2F 0E 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 76F02F90 value: E9 7A D0 F1 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E30005 value: E9 2B BA 09 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 76ECBA30 value: E9 DA 45 F6 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E40008 value: E9 8B 8E 0D 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 76F18E90 value: E9 80 71 F2 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E70005 value: E9 8B 4D D8 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 75BF4D90 value: E9 7A B2 27 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E80005 value: E9 EB EB D8 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 75C0EBF0 value: E9 1A 14 27 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: E90005 value: E9 8B 8A 14 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 74FD8A90 value: E9 7A 75 EB 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: EA0005 value: E9 2B 02 16 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 6524 base: 75000230 value: E9 DA FD E9 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: A10005 value: E9 8B 2F 4F 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 76F02F90 value: E9 7A D0 B0 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: A20005 value: E9 2B BA 4A 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 76ECBA30 value: E9 DA 45 B5 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: A30008 value: E9 8B 8E 4E 76	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 76F18E90 value: E9 80 71 B1 89	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: E70005 value: E9 8B 4D D8 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 75BF4D90 value: E9 7A B2 27 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: E80005 value: E9 EB EB D8 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 75C0EBF0 value: E9 1A 14 27 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: E90005 value: E9 8B 8A 14 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 74FD8A90 value: E9 7A 75 EB 8B	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: EB0005 value: E9 2B 02 15 74	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Memory written: PID: 4476 base: 75000230 value: E9 DA FD EA 8B	Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C44832 IsIconic,

8_2_02C44832

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

3_2_00EDAFC9

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00ECBED0 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,Process32Next,CloseHandle,

3_2_00ECBED0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Window / User API: foregroundWindowGot 361

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDD3D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDDEA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE0BB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDDBB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDF43.tmp	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API coverage: 7.9 %
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API coverage: 5.7 %
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API coverage: 2.5 %

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028AE3A0 FindFirstFileW,FindClose,	3_2_028AE3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_028ADDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	3_2_028ADDBC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040E3A0 FindFirstFileW,FindClose,	5_2_0040E3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 5_2_0040DDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	5_2_0040DDBC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3E3A0 FindFirstFileW,FindClose,	8_2_02C3E3A0
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C43CDA FindFirstFileW,	8_2_02C43CDA
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 8_2_02C3DDBC GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,	8_2_02C3DDBC

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_028AFFB8 GetSystemInfo,

3_2_028AFFB8

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

3_2_00EE6408

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

3_2_00EE6408

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00ECBED0 CreateToolhelp32Snapshot,Process32First,GetCurrentProcessId,OpenProcess,Process32Next,CloseHandle,

3_2_00ECBED0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00EDD605 GetProcessHeap,

3_2_00EDD605

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe "C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe"

Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00ED07FC __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z,__EH_prolog3_catch,SetErrorMode,__set_abort_behavior,SetUnhandledExceptionFilter,__set_invalid_parameter_handler,__set_invalid_parameter_handler,__set_abort_behavior,_signal,_signal,_signal,_signal,_signal,_signal,	3_2_00ED07FC
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDB285 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00EDB285
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: 3_2_00EDB254 SetUnhandledExceptionFilter,	3_2_00EDB254

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C44AEA keybd_event,

8_2_02C44AEA

Contains functionality to simulate mouse events

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C44AF2 mouse_event,

8_2_02C44AF2

Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2906804901.0000000002D7C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROGRAM MANAGER
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2906804901.0000000002D7C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: PROGRAM MANAGER)
Source: LKdayanJELT9QDD900055.exe, 00000003.00000002.2906804901.0000000002D7C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program ManagerVO

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00EDE4AA cpuid

3_2_00EDE4AA

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	3_2_00EEF0B3
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00EEF1DD
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_00EEF28A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	3_2_00EEF35E
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_00EED6C4
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	3_2_00EEEB0A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetLocaleInfoW,	3_2_00EDCC65
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: EnumSystemLocalesW,	3_2_00EDCC28
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_00EEEDBE
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: EnumSystemLocalesW,	3_2_00EEED7E
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	3_2_00EEEEBE
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_00EEEE3B
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	3_2_028AE4F4
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_028AD958
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetLocaleInfoW,	5_2_0042F000
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0040D958
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	5_2_0040E4F4
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: EnumSystemLocalesW,	8_2_02C5F204
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetUserDefaultUILanguage,GetLocaleInfoW,	8_2_02C3E4F4
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_02C3D958
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetLocaleInfoW,	8_2_02C43D9A
Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	Code function: GetLocaleInfoW,	8_2_02C43DA2

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_00EDDE45 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00EDDE45

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 8_2_02C43E9A GetTimeZoneInformation,

8_2_02C43E9A

Source: C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe

Code function: 3_2_028AFFCC GetVersion,

3_2_028AFFCC

ID:	1447353
Product:	CloudBasic
Start time:	21:20:13
Start date:	24.05.2024
Sample:	HomeDesk.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	3e541108bd65df0d1127e15711da911a
SHA1:	eb6ae2a6dd97fa670dcae50daef8444b3ae14cc1
SHA256:	52459bfa76a1b8918e1e18c7b35b9a5ea0c4876e7483e2f486217e3059b6c234
Filetype:	Windows SDK Setup Transform Script (63028/2) 47.91%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\53da31.rbs	data	06CB062114DA9BFF18932880A51A5E28	1AD68536737EF2808D6ECB4C27AC9295040BF429	E7661B978F3A7E65C096041329619D2C9CAFF4068B179F2F42FD249FD68630DE
C:\Users\user\Nota Fiscal Eletronica\AGLoader.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	EB77A874ABBD9BA3DAFA46CF1B7FF686	445F040A12BADA9F7CC1B5791551ADAE4AAA382F	9F2281DF855C4CD8A66591A7328DA0C73860BEA35E89AD01DD0A80C207520815
C:\Users\user\Nota Fiscal Eletronica\LKdayanJELT9QDD900055.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EB67273C54E78DB4FAFFAB9001148753	0E6CAB2FDF666E53C994718477068E51B656E078	7FA7499C7A72041D7D0FB1E4659466AD8D428080A176FA16276FD60ADC9DA0FD
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv0.0.tv	data	F3E2E17C9D9D0A2A617D5191C52B2A46	A8C71D1726E88CB212D5CAF85F22161889425CD5	68D812F6F5332E25299A988317E00E232E77C976E1325DD482D199E14B4C0A94
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv0.1.tv	data	A1273F0C3285077283ACECA12E6441CF	D0A3059C109592E207C2A959D7006E66D16079AD	6018FC0C419711176481E092C6268198EC4AF0979FA020A41F7317589D720592
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv0.2.tv	data	33D4E72700DE06616773F322FFEADE23	DFB9AF6B852B7C75861AB231524626539EFE98EC	15FAF32B447CF64F47117812ADDCC5EE4A9E654F062508A14E745E4A4A8D82AF
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv1.1.tv	data	31BE227EBD00EB32E0D97C03547953AA	29B9357D45D7B9417E8D701562DF4ECF029AA235	2ABD44444B428A8438980C23290653818567A1C52A6F6E28CD582F02ED7A1997
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv1.2.tv	data	3F07A14138725B4FEA87018778E99C9D	E9476B1F97D68E4B041CE45B3AC8B367FDA9AE73	884AF08E980F32A5D857AEF65E94D692CC5179F0298151CB3EEE28307D5294C3
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv1.3.tv	data	C5A27652BFEF12D580F8C7D9278BFB56	B8FA94A092969B00A2CA49AADE501F86C7D05124	84239C96D1A3EEA8F4A1131EE859C70863D2D2FF981DB955A204D06FB3E399F9
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv10.0.tv	data	21A9EE4A323D30EBF01E909E0D2458DD	B1FF6EF537D741A21DE4C9940711E5403CB95154	84FF014DDE709723B41574356866AE44A9C31FBE172719091AF2F7C211F515C5
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv10.1.tv	data	0F47D734176C343CF3FBE700D08D0062	5D33092BE18F4EA93B82B852B806436AB9AAE103	61D82DE1D9F5DF0B5F96C7F4E1CB249E3A41A49A3225FA2C58E781E0AA8AC351
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv11.0.tv	data	D5607B6BF989EF431346619F0D81D09F	7C9606C08F7EE8176948A694BF36ED7BEF058571	C8E14FDE2559E6F71CA0CF023D2CC51636E171B206CAEFC11DEF6045D98E66A1
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv11.1.tv	data	8912777F68DD57322A21A454A3038289	F7373B9BF2C1BE2542144873D904D3205514F13E	26F01B5F8468B8E78D88232717D2785C9EAEC35F239820AFB0DDA382297A0830
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv12.0.tv	data	5056454E25D9DA771B1927ED97BFAF0D	1A7E91BE971E815071A58C54BA57B9FB613DFDDB	EDCAF92F597D225DB49C4DF56300BF4962177B689409758571790DAF262575CA
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv12.1.tv	data	56D17C7CB534DD8290971648EAEF4B84	AA757929675926B17D02078C69F0F3B4972C6E18	7860C45AB4056B141C9031E95F2E93E852531D1AA03B4E5FD6164C6C4E812C64
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv13.0.tv	data	91EC970B7C15E11680F47A1413B72962	339B0A308CD1F5B4174F7F43999A4281C205503B	6BF4C19E221830BD5BABCAC9F92089A656882E3793FC69879D804788960FD223
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv13.1.tv	data	76865ECCE4C30C2536236ED171A0D76E	B5E5C62D55D317D1D7F77915C5738A8635C82C9C	C7B799B3DEE229B709AD9DAE5E029FA5A7D7BE8BE0454F49527B632C07D9F625
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv14.0.tv	data	3D8772A6F26F6BAAD2715A514D7A419D	5062988072F8CC660EAD6BB5BC7767EBD68705E3	8FA4E1AF5CBF40A9A52A718BD43EF4C089632E732B1EAC5299E73994E947B219
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv14.1.tv	data	20354B294A886DE9EED65C05B8B4E0EA	FDB0C9C8E67DC389C3D33BFEAA45B11EADE89B37	3B01077CB6F2B33E1FD4B44D6F8FCB2144840AB59E819665B331CBB753E1DD1D
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv15.0.tv	data	D7901A0FB829DB040107D2C02943A4D6	18A852B5DA7A2B57A6154C83C80F62ED67570791	E2F925AA3AF7174F26E96571038AB83FC1D1D8F4F5A2EB1C48C654EDA1E6A2D1
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv15.1.tv	data	490064B278F31F395A1D93488FE7417C	85F0BAEABE880AEC6324E2D994BAA37235C8F260	30DEFE60FF9390B8B828759FBF90B152A8F8BE7423258897E31712E27AA18463
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv16.0.tv	data	7E93CE1B4A288A0764CAB1A866932F7D	1EEE7FCFA3EDACB29875BCA791855FE5327ECA0B	F6D10BF1489717408DC6F215A3996AE1C666D50FEC1AB4D80D84C0BF0D8F28A6
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv16.1.tv	data	3E9FF1A1C7D11B406196267E0C1FE54B	539E9238F09C47E907E428B3F9C993A74E3A89F2	B87FD006B7A4B7CA41B0C0C836636CDC46A1B87AB8BB0C17C0380FA42BC40E05
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv17.0.tv	data	B954EE1D0DDBD6917660F9C3BD90703A	D21DFBB906266FCB3569968A706DAEE6BC399176	AA5EFEE8E48E66DDF491A2F253ABE81E304E36A8F9A2A45B54F0C7F415D70582
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv17.1.tv	data	199C9F4ACDC95653F0741CD7BBED72E7	872E1E241DA7FAB037DB2C8C855B02C25CF29C94	E77435E9B11AE1A2A014EE878F069BDD9198ED746CBACA50AD334020125858EC
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv18.0.tv	data	55023E704F32EB3F068C673D0FEA18CB	D20D01F61ACA12CB38E9C62737A895FFDDCF6A4E	96C294875C7A8068301FB076CFC5DEFD26DF7B47AD875F6804886D0E374DD725
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv18.1.tv	data	26E1D8BF489FA30F98149CF812E0A1D2	3C063A89D5D9E18CAF21E35C398FD50E09D9426A	340B5EA15AAC2496C69567327F34EB33E1AF6FC4BD8201B81E32A3816B475826
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv19.0.tv	data	D0EA1D0ABDB8F217D26A0CC27116268C	74F9A8FDCD8A5279C6458A37B75C38A09A4C921B	DC51F45745036F0A6F9F902BDC57412B928DB386BF0393497DEDF53D183833E2
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv19.1.tv	data	F71B653B55720C08816297D442F005FF	EC97519842F03D1A7834565DFFE1A0A795FF03FE	547CEE01D9AC02641550287145E9A8B33FAA10CF9D26EA53432924F0804EC4B0
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv2.1.tv	data	7AFF247D52FE6468A6E06E206616A83D	0965687E40619574263356EC26AB66DB93334A06	67D33D3FF9384867E6175C75EF916F01EBF68DDD3C463371A537678866196690
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv2.2.tv	data	43CB62B23805F38DF000C7B9D0227402	00CFC3FB4D1292E824A76563E81078D2894B928B	C5AD8B348F0C81F93FC6C5573FC6252E5D1F6FAC2A9810834B0222C41175CF0D
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv2.3.tv	data	306A37CCC16E48CD582D0AA8E2643C6B	1DA98DA8E420081FC1C66737F42C4DBFE679DE65	875CEC1FC380D90F8E4F0405A35AD8B370F30B3C4FCEC33150CF31D7EE650EA6
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv2.4.tv	data	068530597136C000D573D2CBF07DCA45	2D80345B8550146498393A3DC533EE8EF21D48B0	D122CAB4C0DD68F062F3ECA1831521456916655D90AD728CF37E9BC2E18B0B1F
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv2.5.tv	data	62BD966FFC5049BF7EB18A93FCA491B0	3C4BB0234E229219E5F346A2007082F780BE1C0D	14CA1F80674F606C54925B3B6862C7751BCD75B0C15C22002E954B0D33ED0F85
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv2.6.tv	data	D5A0EC5D290F02C4D03068DD57ECF672	4243FB0146728E2D5566ED7D771156DCE1A2FCA3	6DF1BC6AB82B91079D9372B28E30CBCFDCB0168A36480A47BE76C73F3F49FAF7
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv20.0.tv	data	24B707FD8F1EA5BE94980DB03F9A4974	8A43A69E524AA1C3DFCDB9733B6F24FBF494A983	D40D84E9BF8832D4E07C6F20B94E3C65779F5676250AB5CA2339B3DCBF0EC84D
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv20.1.tv	data	C4A315EC291DE2F3F060B1EFF06F822C	0AC931648653F07C6853E0BA0DA03369AF79B228	5514E5CDA485D604D5D175050276EB54BC537AC3EDBB7FA9BE6BDF14922F995A
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv21.0.tv	data	8BACDD58461F723850227630FEA68F61	33C75A0B8BD260F260090ABF8F25BF94A11ADA73	79DF17693D9C2475D709983ABE3B900E751BD1E58964EE34BBE8EA916FA07CBB
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv21.1.tv	data	6C692AE84BE3FE987C5FC52FD5AEB9B1	FA422785D76A48DA99F731A0DB17478D7D142824	16CFB08F9CC69C1ACDCE702214720F818686CFA9A42F3FF05526694564FFB431
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv22.0.tv	data	A93213451F57225C3051FDC3A9A54D33	26642DDC5DEFDA68EE2E9C9048718FD09300A004	685DD381523288E76ABE931E340D79A9A79AC66A0CFD1B320AB4273B856401E1
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv22.1.tv	data	6B13FB595DF0775BD7DAB5C4EF1CF33F	87695667DEBEDEA6F532DE90211A139E43061DBB	DF4BBEAF14D89508FCBFA0E5CC50513B07230AC9956F9B2EA0B03A815DDA6B3B
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv23.0.tv	data	1102C549BF4ACBE4400788190D6FAFE7	1625A297A43DBAFFB10C3F608D79E964C86039F8	DAA3E8880F7B5A880F77D81700A439A5A64F59FF3E6B879BAD5CAA497AE3262B
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv23.1.tv	data	5A706F42F9089D7AA5E568D189BD1BCF	F03514F3496ADA198C372E2322F832F3FA177473	DCA0BF36CA8F7107FDB544AB5EC0B0DBE0368EE867AA49C5DA83EFF03A8E1502
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv24.0.tv	data	1CA74733AE8ABBD526A623D582E90A86	260FEF5EF8B976E4F4AFC691A68F234042B4CD9A	F717F00037738CA385C9AE1B3E037E0625E85FC98C8DE173DBF7AB7022890D2F
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv24.1.tv	data	E9FC5502E223B097FA82863E38696042	E9080049C173BFE988B52BFB2B282FF0ADB31653	3EFD7525C6E1C07381ADC32A22B66EF88C64FF2E435685017E2496E6DE679537
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv25.0.tv	data	521EA1C6299FE47C3B8F46983A5F5F98	0CB2134FDFF277C7E673C7AAC0776DF32B81315A	96DE6B919F013279A734B5227AE3338C63E18EF48C9C5994F9BA4856A53C52EC
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv25.1.tv	data	7BD0788C2A434C64645AB556C23A14BF	457BF437B71E509C067F9CA989F06507B36C7D41	64074ED1669C55D065ACC85368F2BD1CEE2CC99A0DEF52DED9FEE6AF4B03E9A1
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv26.0.tv	data	7DC228BB1FB3CCFC2A310127002336EB	D8B6ECD339DC0286DEC5CD9EF5211849AF3B56AC	4C3198AB4B08000E629C09B7C8CF396477C67136156FB0335D6BD09749D1AF0C
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv26.1.tv	data	45DBEEB0F96E14C59F803893BD7746E7	A02C2C8B1394E30B8D22B1A7941D510EF17CC7D3	4D8E74DD8F673A15AE145743B068776EA448DB5C5BA3998AA52284EE7CA0E49E
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv27.0.tv	data	C0D13EA141E94E3B4C3B46379BC86F2D	D2F48AE05CBB726F2428E4ED7B3524954745932B	AB6FD893CFA08AD52384D6EE973A065BFEF0A9031B166B776CFEA50E82BEF86E
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv27.1.tv	data	E88B3293685B5BD4921F00B41181F2B0	465E6B6356B6DEBE9AEFD74AF6EF2E482D1A7459	C215E0660D9D639C4815C9E21033CAE69A2B3640F713FBD131983E049AC12B0D
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv28.0.tv	data	2C0C638204B7B944014072E9BD661C2E	0DB79474902F51D17F4B759ECC9B8832D010C95E	152C8CEBCE73C59ADFF0CB6AF008E4FACF0645F48A23BB39284A322789515C4C
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv28.1.tv	data	543591DCBA79B507C11B753FDD53D763	2857BC187AE459798602C1934DD5CB8D0AD1A38C	836B6F24C024DB7707C7305AA84A15B2225E6ADB4470D26B3112FA8FA87197A0
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv29.0.tv	data	7C68CFB5F5AF152F8D9C45C83968F9E5	CF14E3B400F43071E3611D692E50B43B5E7FB0BA	68A83A6DEFE3F339E116965863EF4C536D61503DD87F6ACB3C1ECB18B716821B
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv29.1.tv	data	737A1374A5503F702CD7BEFFB402D3D2	1A780B0A10595593080718EE112922ADFD48F6D9	9B18FDD03F15144E86DF6AE41BF04793AC713BCE12155D2AE55274CAC80093CA
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv3.0.tv	data	C0300FC156DB04F541F7ED73F9FDBF8D	5F832818E0F6B3FB867132B3029DF65846D2DA7B	363F0AC6CBCA8A470E1974AB22630E5CEA1862260136681E890D9DB5FAF8F6CD
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv3.1.tv	data	6F3F2AB7AFE7A02426C29B531A1E2059	4DC70B7C61290ACDA9018EB6CC232B5FF1489B90	BAE2F04E13BF7FC6E3E17C37B5DB13A227A9F4FA715E1B4A854A836FF549DDE2
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv3.2.tv	data	BCC3E81F72C645434C9481A2116C60C0	292C7B2855A68CD0D73A1463E2BB813D35545828	D9F8F7214FBAB1A34E05A598294A8334D349805E6769055BE2156A9DD0B6DABC
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv30.0.tv	data	FCFC417613F8478F23B9C140BB23F4A7	E7E01B23F7676D2C0800010306E7361532B9B71A	C97DEC1EC391C52D9A46BBB89E5930E9AE550D7052C143C5FB682ED713DE2211
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv30.1.tv	data	6C2BC1DA0BBABB0DF6F041BA937A20B5	CF937FE32F3547B7DC36BB5CAA1A6935F6EBF96D	123F6347C23DB951962166C5FAC65FA4807E2A1167143608A9701E8485CD903E
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv31.0.tv	data	6E48EF4B588D5002062771F83B511CA0	F62D62F9EA643704E4265A5765157743FCE5B794	CADB718A410A980F1AF13CA8A1036CB2F39D7D4FC9950C87835C4EA52096AB0B
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv31.1.tv	data	49B41606048FB6579B5C827AD76BEFA0	3F7576EEB4DF5F05CEEF96F4987B94D3BB539A5D	973FA4E3E481F20E7EC967C2E187BBC36190855B23863395672AB3BA273E2619
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv32.0.tv	data	ED55D55ACBF2BC589FF4137F91BA917B	1DD3FF5BB16B506456E25715D3DC3AA46DDB1794	B45B6C087B04A99B7E0B08ACA4D8A3669E195670F9EBE3B8296EAF06D54EBCB4
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv32.1.tv	data	DC6D00260945F7978A7BBB54898ABDE8	27626BCB0CD95894877A0F8EAC9F4849AD9A0C08	5973EA970E87174BE790CF7920EF106E8826927C68A3932176EC83D9FC845BE2
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv33.0.tv	data	7DD26494230197E3554FBE5CEFB303FF	615E61F246115B019438B2AEE6E0F4199768F374	ECCBB604596DFD593B795BEC0C04CB985C701A01EE50D21AA58367D25E3993AE
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv33.1.tv	data	75D904723AA149166E0FDB850E933171	BC39EC23774AA7D964566CBAF35C23F6752E2FEE	A9D5D5873CA1713C2C7C172109E127ED943014EEF0CAED269CA3354FDB373416
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv34.0.tv	data	9DDC5E19AFDF801947E63E9F1A4CB172	20A2A279E7E619FBB293500559F5485FCCD8101B	3209106CEAC1D911D2B5BEF0EF2441E9285AB933701BE9E4B9749C773B83FDAA
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv34.1.tv	data	BA63FE08745649EF7409FB4B46CCC9A4	41183AF44A3F948952D72E609934D58F6AE7C77F	BAE33927C53C629FBAECB3A6578C128FEB37A9F49FBB6AC8BDF8CC6386BE6FA0
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv35.0.tv	data	C9AC9354B7E5BF16E8A02D8912BE5B25	830CAE5E71F17FBA34DE2EB0A78EDAF21B09741B	7BFC65C85AE5FBBDD681F92A3901A17BA9D7E5F55B705967812E53D2855C4244
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv35.1.tv	data	B885A0966AF37D3A1C28EB16B505A751	B51E6526C987935FBDE80CE039FDDC3E0460AB2A	6A9A038A54D95860E3011F93391DBEC99FCCED9ED7A1A6615F5F8A1FE50A3157
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv36.0.tv	data	95A6D0ED38A760F66FB112A5DE59A007	B8ED6F61A7C517CD823F6D5CE0E9217967BEF890	1917C0F40A87CAD58D49123CE2C7626943504C0F1B3FB8A4826958DE2FD9CBEF
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv36.1.tv	data	946B26FFB476A97FE2151D1EBC46CB15	7C9E829F00161D1C314FFD35AD56C87788102DA2	9593E3D3D284E900189B6F8E5E473B0CC83C817D7E58C649E10AE9672B005E36
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv37.0.tv	data	27F06D436A9F1D9CFE5331BB820C5886	E1E7C6A9DB93EB16537CA3E55FBFF36AA03F6837	871C8926B79A0BAE43A035E00C030AE79713A6B2B15116D25A9D0DD967D433FB
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv37.1.tv	data	59277C66CA0C3F137749B2F0CB6E5C10	7EBA4A7CC9AFCCF75DE58D365749295A8969CD42	5F98CE2635A33388E7E3D7793873D6304AD31BBB7D33362999D418E1297515AE
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv38.0.tv	data	C607F49179483B4A4FC6D510E225E5A7	424BF0A62051C28C3E3872E5F78320E2F66E8F29	E00BCDDC005391C50994D8C32487BD8218CAAF3D1D05CC6925BF810A240EC852
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv38.1.tv	data	341724703E215BD6C8B1CC913B43C760	A348E7BEC48CC02A89C81B96ADDB5F72547BAD1C	21F9220D1393695A01ED52B0BA713832AB84686ED71AEEFA5576ACB04FE961E4
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv39.0.tv	data	5FF15A57BC129B5997E1ED33B59FD859	D9748C94D6986C5914C7ABAF7F941234ACFE3657	EA50E8F3C7A99AE4A918A9E123F598056877022BBD2A9952538FC11D917C7D9B
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv39.1.tv	data	06A392C6ED644F5EB544528F0F943CAF	F355C8E5D3FC6A45E451EA716F576DA2DF8C585C	C6979DD2F845F6CBED19FD786A169D1B7E0F2B769912A0E7F31076870559C499
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv4.0.tv	data	69233711359E955EF620804A89773A01	31BDFA90CAF80D82C6ED0AD96F5AEC3E76894438	4F2D662F51F476511B875EEA8D545B3B398D5D636955565EA7582A5170AE5942
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv4.1.tv	data	85FA11E8E404ACB68CC0E94112DE4EAC	9726564F9B236EFE6A97647AAE5CD33D221780A7	4B889FDB958AF334996955C1D16CD0E8C2D8CA32B0D7E6C1D48CB7F88C74E503
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv40.0.tv	data	5650BB8A3AFB95778C068056EA82F1AF	3862B30011875537FD471AD3EEC60436E151B8F4	3D6BCABE68EE6DD6CF5B1CB75674C71A4AD44EA1DF2EEF5B9247E6832367F104
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv40.1.tv	data	136E5B4E8CC6E1A10CD31A82271FD432	CC75803F4A294AA7E5043C924C5564E11BDB01A1	541A4CB4AC89DC976197A2A355237633E615DEE30A717C1F822FB0387BB998F0
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv41.0.tv	data	EE38E0CD908F86BB34C79806EF14B1EB	09AE883AC80691697BA410143814877F174C5DCF	2F062581D9EC9D7ABFE8661AC22B933AFC54BE7389C61C5DF0DD96046BF83497
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv41.1.tv	data	C2E464DDD469ED66377B1D87DAF374E9	872D185AC8B901066A18363671F5CF82577D343D	B8B6885914A26B0783B641F8FBCAAF2B9AB77DA95052ADCA3D72AC8A2D85275A
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv42.0.tv	data	F073FEC496AC5960CD531E513B582CC9	452E711982ED3EEFC4DAC87D35168FB71BAE072B	C0177D09026E291B5D9AB07270EB11AF84E803035EF40AB3E049C5A6222B608A
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv42.1.tv	data	CC1DF6047E4681437B87702D383BBD98	D92EE9749E6A0ADCA26B5BE52995528159BD153F	21F765962B28615E8AC9FA0E54D71B14E85A44726B2EF67D8A2C8B0B1D800A34
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv43.0.tv	data	52DBFE44F46C542099A53306A1E20721	6AD3B8DE484520F4B35AFAEF79380BA16038EDC2	E828D0D534098273B0F77F37A95A07F1451D0F594902F34768337AD2C381EB17
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv43.1.tv	data	87AF00A1137B5F8D1E68C3BF739A5BC1	0B46C8C6819134DEC64A985278517738F89856AE	86D5C6999F042D4ED076DB76B6F24FD94B462A88AB146922CAD236DFC6DD1C8B
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv44.0.tv	data	AA3B049417B78B1453B7F83A8840704D	D51ED06C114F7C6DDF4EB95BEC14BF84631DBE41	5DE3E13B34DD3AAF6B4732C189D9AA396EA672A53B6D39638D7B13BFB25A11FD
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv44.1.tv	data	AE721CD59DF67789B72FE5FEBC3903F3	A1AC6F678715E98E6DC412E3B06BF9556181B4D3	929295B2FDDF474A277B72791FDAE5F9E606C37C6EA553B45ADDF0558A0F89F7
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv45.0.tv	data	E5BE9FE9FC69D4CA4FAE3E164BEEF8F7	4240C824C6D42D0E2804BEFE78B12FF6DD441E31	B8058CB5EB9C0B765F5A278B8CBF144536150FACF37BD79E4837BA2AD0DEA629
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv45.1.tv	data	48CA22EB8386290DFD54E8C474879B52	311CE04FD8D3C5ACD3BFA13BB3024116F653249C	3C52B3127BDCF7C2AF11243F0A51DD46FC4A8BF458C8C6FA109EA3F92A60534C
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv45.2.tv	data	FDCDBBBAEE3059F45AFE1563E6CBBFA1	070C618BD94A68CBBEF90A7881613374B10188D0	14B18605E1084E969EB0FD796C07FD885ADA907947291AF17997DC91513E4DD5
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv45.3.tv	data	CEC8262AEAE454048A13FCEF64416666	48BF36FE244FC7300195796678D8D560032B718A	BAD738A7A5E22A0B4DD9C6A440FF722D75B562F0D7E3052427EDE9F57BBC9EF6
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv45.4.tv	data	C6607EDBDDFB082E9BA6689D3AEA1E53	68FED24E716D40BBE87B8A0A34B19F6D8A78D151	F082CAC36BBBA6DE1C63C117C7088EF6467471358ABCF0941686CDD7A87BFD3B
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv46.0.tv	data	9FB28A483FE0F6E313424ADC933F2018	D9A04488876058281DDB52E8CBCEE17E65FD38CD	844CAE30A329226B37557F2A4F5E3EC39B9BA5668F0FD85535121D17EB05D051
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv46.1.tv	data	0CF5444E3F86C21B31BDE867F575EEAB	D81B7FB4178FDBD274DC36713A95B85F7B2CF260	7C9437E6BCA2A03FB75E5EE49F4215BC96FC295FB0C2CA3311FB61559763B5EF
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv47.0.tv	data	80D5F631C0C99F56A4F95A4398D5753F	A05A2BACCB9C0C2C412D83246FE2E8BAB03AE801	9C67AABD5894663D4A71D7605753681861C4807A113E554ED5EFE3A6637B57F2
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv47.1.tv	data	7A962A158FAC54BEFD5EA4277A549457	414925688F195194FC8BF8363F75395EBFB6638E	76EA5441F6A6D54B07B269CFEDB92802AE31C66ABDB1AF4FB9ADC822A5C56BB3
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv48.3.tv	data	1AB21C5CE52A3B96BDD9CEAD9FDF91F2	C9DFD5ED7BE1A3FBEC25E571A2DDA485661DC50C	7A41283A414F42D601DBCC159237BAB46053F34E54617E5B5C46F71DEC29D35E
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv48.4.tv	data	BFF1266CB467298E1BF77139D09345E1	1FDD52F261E8A9B5FD57AF4EE2B8B7BB4EC99B7E	A35D6A6DF0B4A1D66438B48317D31DF0926500CF03A439413B76C691559DD232
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv48.5.tv	data	2A8322657D20CCC866150BEBC9630AEB	083C0665D5F92BA9B9C0FA8ABD886FFDE99EA508	BEF7BC80ADA71D2AD28950C5B2B291513E913B2A65A802CA0384E40759942274
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv48.6.tv	data	35EF6B79DA388875331B47C2EBC2F47E	C2600F156D2D9CB3A8B951A3C25D5C18BEE3B8B1	3CBE601BE6588C29EC451529BA99FA9288EA2B9F06FAC2D9EA9FD2ABA17F8D2C
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv48.7.tv	data	AB299939F803241F523C0CB4D6B4D0C4	1D76A8DE56E56BADD3488B9DE1C6FCB58FC65074	A5433FC2217D43866965AC1DD3400E09C43E69CA465DF4CE11AF778E77DA24E0
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv48.8.tv	data	A95E284BBDCDCC82138270A29DE31376	FB4EB3AF050A86CF27A27B092EA086BB52F5BE07	F9A5A71B000D9057942813FC2A61D8D5CD2415F5B60E75A1928D4D38EFEDE15F
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv5.0.tv	data	44ECC1328F59A8E238B7CC0875D8676B	B8E208314A05A58B4C634B65786EAB5396E0A163	ADA56B7CA45E461C08E8B3DAF1D3B0139ABC31B05DAAC06655FA8A4064D8667C
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv5.1.tv	data	B0972A8D56CC2BC157A681D59FB35966	A0D9AC2EABBC73D8F157C7E1468DFF204AED7F02	B04C2BB17C93C9D202514E8E83FB557F7CDA9197D916A9E786EF3C0D517DC412
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv6.0.tv	data	C02DCB97546872D163EFF9D291CDBFD3	0BDA89EA75167768D9A08A1FA6ED6E1CC686EFEB	03D9526D1AEF606B1FA43C127E7B1141AA568FADE454C1C0060BB9C732E0B626
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv6.1.tv	data	7ACBE69D3B767E94BD59B48104364992	647C91290222513C2AB94FFB8A36F70FEFF265B6	593CD5BA79A489C4388809E17EBCB32AF9B10EBC33C895955E13A06CE8F48C43
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv7.0.tv	data	53BFA45DC4DF8F99473480A954EF3981	53A74C7CF7AD41FABB4609C7EEB5BC3428B55B1F	A0F2039554A03DB416709C08D36012CBF5A8EA313C258A58B7EF43DC947A1AAA
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv7.1.tv	data	F2320A86A314A2B869E484BE85AA6DA2	E4DD98178CC70A9C3861BE10539DD9EE44797F0E	C0908DBA50A0B348646C7D12E7C2E247EFB76807C7DDB8911E9D4A354ECFD320
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv7.2.tv	data	038BD3AFC1C645309EA2AC8241FAEA4E	5994BCD83A0FFC73AC95C04E72A760E0CDE69AAA	62EA1884D2CA67157D5B5706EA9ECB04CEAC87EE43C6F776849075D6EF77558C
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv7.3.tv	data	EA95C5772F569691D94170C70962F47F	BC6FE7868B681FF643C78F7B02B2C79A7FF6D53E	2F47E1C26AD874F6D7DB789195A379A6C48F0FD6C29CFE074A1B5EC5ECE975D5
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv7.4.tv	data	C73202DDFB9FFDD67A33F1DACAB45698	64A4CF5CF5F44FEDA94DC39598D72A87E822AA90	4605673AD3A8E30731A88C0AC09350B4691D6FFA035F7780213AA43A52625B1D
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv8.0.tv	data	DA245CD9A3C4B3C3801D3AF51F65669E	B4CBF06B1741C6F11BFCB70AF71648E9CD303AFA	4ED05DA6232A33F423440381F7537F81D7A191869F61CADD46503A6219F61956
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv8.1.tv	data	83F1BCCDC2F210D7DE086FC737916F39	9CDE2A6162D3DA680ABCE27F73014762F9F3ACAD	B00A874071BAC257B2FD82634301D93F2EF93AD7B2B6FA4CA59081C674E58083
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv9.0.tv	data	4B55B9B8CD72784B8F4E86594C976C38	153DC16E17AD981DA1B8A9D990E00061D54CD49E	9E3F1E22A087D3714AFD5E5C25817CB5D92F9DD158DBD5995D7E7B7FA7963C0C
C:\Users\user\Nota Fiscal Eletronica\iframe\rolloutfile.tv9.1.tv	data	A227291090374BE07560BE98E820569E	79DE95ED367C987D0F2C009799E91C8D6EAD2127	1BAC6A4DA0B8762762846D3828510696B82B9DACFC9341CF79A659863B328937
C:\Users\user\Nota Fiscal Eletronica\volume.dat	data	77DE03A0A71F4BAD680C0442086FCC3E	F3732EDD5D446D89A99F17F81BE1736BC9ECE856	259B7777D4455BC558EB1C89AD0A69151DE670A5D19FFA25F972C090BC3136EB
C:\Windows\Installer\53da2f.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {16DCA61C-6A0D-4F02-A29D-AC9E50B5C214}, Number of Words: 10, Subject: Nota Fiscal Eletronica, Author: Nota FIscal Eletronica, Name of Creating Application: Nota Fiscal Eletronica, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Nota Fiscal Eletronica., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri May 24 18:08:16 2024, Number of Pages: 200	3E541108BD65DF0D1127E15711DA911A	EB6AE2A6DD97FA670DCAE50DAEF8444B3AE14CC1	52459BFA76A1B8918E1E18C7B35B9A5EA0C4876E7483E2F486217E3059B6C234
C:\Windows\Installer\53da32.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {16DCA61C-6A0D-4F02-A29D-AC9E50B5C214}, Number of Words: 10, Subject: Nota Fiscal Eletronica, Author: Nota FIscal Eletronica, Name of Creating Application: Nota Fiscal Eletronica, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Nota Fiscal Eletronica., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri May 24 18:08:16 2024, Number of Pages: 200	3E541108BD65DF0D1127E15711DA911A	EB6AE2A6DD97FA670DCAE50DAEF8444B3AE14CC1	52459BFA76A1B8918E1E18C7B35B9A5EA0C4876E7483E2F486217E3059B6C234
C:\Windows\Installer\MSIDD3D.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CADBCF6F5A0199ECC0220CE23A860D89	073C149D68916520AEA882E588AB9A5AE083D75A	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
C:\Windows\Installer\MSIDDBB.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CADBCF6F5A0199ECC0220CE23A860D89	073C149D68916520AEA882E588AB9A5AE083D75A	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
C:\Windows\Installer\MSIDDEA.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CADBCF6F5A0199ECC0220CE23A860D89	073C149D68916520AEA882E588AB9A5AE083D75A	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
C:\Windows\Installer\MSIDF43.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CADBCF6F5A0199ECC0220CE23A860D89	073C149D68916520AEA882E588AB9A5AE083D75A	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
C:\Windows\Installer\MSIE0BB.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CADBCF6F5A0199ECC0220CE23A860D89	073C149D68916520AEA882E588AB9A5AE083D75A	42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
C:\Windows\Installer\MSIE168.tmp	data	9DAFBEADE87FFDB01D2ACEB2B0F6CEAB	C745464EC3A099995E03DFE7B367D9EFF1EEEFAD	1E80E921FB8F64373F512AA444743B4C82675CA02CB5D4D05B9805C2E7A75ABF
C:\Windows\Installer\SourceHash{CD47C468-A902-4164-B360-5693BA87F9BC}	Composite Document File V2 Document, Cannot read section info	FB166FB4A5137DD7268106CA346A692F	ABF26FB18E51453ED4F79AB470D780A334BC793A	5464D94E6B8445FC9E808812849BB4A3A9C95BBAF9CA920EFA654EE5A753E506
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	D7C4A783B1705A8E7995F38416FEBF66	934AF027366279B63A685AB5A4E8C343A214BBEA	72864D022528470633173AA1CFF2BEE8257371A0E7963C42C597654BFF3CB0AB
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	3B7D73DEBA0EE70CE95E1E4DFC0210CF	BD60847828870E85363FC615E5536EE4E99682EC	10151E35974365E65367CC0C483E01A8CCA55A69B8AF00BD1937F985743F56A5
C:\Windows\Temp\~DF01F8A61A6F83E3B0.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF1B2B1AE4D46C4A14.TMP	Composite Document File V2 Document, Cannot read section info	70F363EDF2EB3B2F0F30156A9FE8BEB5	C3A650022A8C6C1C657E8206D0B3C7CE3C05082B	82839FBE060DACB3FD555BDD7D9743AA60C9016492F9F007C67CA78AEAC54FE9
C:\Windows\Temp\~DF20CF643BE25625F6.TMP	Composite Document File V2 Document, Cannot read section info	D7C4A783B1705A8E7995F38416FEBF66	934AF027366279B63A685AB5A4E8C343A214BBEA	72864D022528470633173AA1CFF2BEE8257371A0E7963C42C597654BFF3CB0AB
C:\Windows\Temp\~DF29AA714D001E56ED.TMP	Composite Document File V2 Document, Cannot read section info	D7C4A783B1705A8E7995F38416FEBF66	934AF027366279B63A685AB5A4E8C343A214BBEA	72864D022528470633173AA1CFF2BEE8257371A0E7963C42C597654BFF3CB0AB
C:\Windows\Temp\~DF49E483823D53DA02.TMP	data	ACCE05BC955368430693160736ABC2D5	DCE581A3932BD69D6E513B07861DE15133E90A66	ADA564B6C247593AE179D319353CF78FFE344901BFB316097897C78672026588
C:\Windows\Temp\~DF66716DC87A4382C0.TMP	data	78DB331FCFE8DEE2C115926343EA3AA8	ADD9732F0140E10A0D21A296521EB20690427A36	771CDE5B61FD53EB4273C16E3E944AEB967B5E93DB4063C07BA1A06AB3C4B0DF
C:\Windows\Temp\~DF6675F6C8D980D559.TMP	Composite Document File V2 Document, Cannot read section info	70F363EDF2EB3B2F0F30156A9FE8BEB5	C3A650022A8C6C1C657E8206D0B3C7CE3C05082B	82839FBE060DACB3FD555BDD7D9743AA60C9016492F9F007C67CA78AEAC54FE9
C:\Windows\Temp\~DF808F27D5AC6BD4F4.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DF8A9EA8E1CEF88136.TMP	Composite Document File V2 Document, Cannot read section info	70F363EDF2EB3B2F0F30156A9FE8BEB5	C3A650022A8C6C1C657E8206D0B3C7CE3C05082B	82839FBE060DACB3FD555BDD7D9743AA60C9016492F9F007C67CA78AEAC54FE9
C:\Windows\Temp\~DFB2188FFBC53DA54D.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFC5261587E7ECE041.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFC593D2471515D277.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560

Windows Analysis Report
HomeDesk.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report HomeDesk.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
HomeDesk.msi